Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released! These contain the following important security fixes, and it is recommended that users upgrade as soon as possible: CVE-2015-7576 Timing attack vulnerability in basic authentication in Action Controller. CVE-2016-0751 Possible Object Leak and Denial of Service attack in Action Pack CVE-2015-7577 Nested attributes rejection proc bypass in Active Record. CVE-2016-0752 Possible Information Leak Vulnerability in Action View CVE-2016-0753 Possible Input Validation Circumvention in Active Model CVE-2015-7581 Object leak vulnerability for wildcard controller routes in Action Pack
Rails 3.2.22.1, 4.1.14.1, and 4.2.5.1 are now in the tree. Cleanup of vulnerable versions in a few days.
Rails 4.0.x is no longer maintained upstream and they also did not release patches for this version. It would be best to mask this version for removal, but unfortunately net-analyzer/metasploit still depends on this. cc'ing zerochaos to discuss what to do here.
Cleanup done for Rails 3.2, 4.1, and 4.2. Vulnerable and unpatched Rails 4.0 is still in the tree due to the metasploit dependency.
Maintainers: please feel free to close this bug once the 4.0 cleanup is complete. noglsa is required.
No vulnerable versions in tree.
