Update your Rails NOW *Updated*

Published on: 09 Jan 2013
bugs rails 2.3 rails 3.0 ruby on rails security update

It seems that all Rails branches (2.3, 3.0, 3.1 and 3.2) have been updated to fix two severe security issues (first and second). Please refer to the Rails Weblog post for more information and take action ASAP to keep your rails apps secure!

Insight on the bug causing this ‘emergency’: http://www.insinuator.net/2013/01/rails-yaml/

Things to have into account when updating:

Rails 3.0.x apps over Ruby 1.8.x:

Of course, always do this in your dev environment prior to updating your servers to make sure you’re not breaking anything.

  • Update rubygems to 1.8  (if needed) using gem update --system
  • Modify your Gemfile to specify the rails 3.0.19 version. Note: you might have to delete your local Gemfile.lock before to update it.
  • Run bundle.
  • You may need to update or specify the versions of some gems. For example I found that I had the ``factory_girl_rails`` gem on my Gemfile, but its current version doesn't work with Ruby 1.8 anymore, so I had to specify the 1.7.0 version for this gem in order to keep everything working.
  • You might want to use the gem clean command in order to remove the old rails (and other gems) versions once you've ensured that the app works after doing the previous steps. Beware, this might will break dependencies, run bundler afterwards to attempt to fix broken dependencies. Take extra care with your passenger gem, as you won't come across any problem with it until your actually working on your servers.

Rails 2.x apps:

If you don’t have bundler, install rails gem version 2.3.15, and after that, update your app/config/environment.rb file to use rails 2.3.15.

With this version of Rails I’ve come across this warning message when running Webrick or the Rails Console:

NOTE: Gem.source_index is deprecated, use Specification.
It will be removed on or after 2011-11-01.Gem.source_index called from
/Users/meh/.rvm/gems/ruby-1.8.7-p370@project/gems/rails-2.3.15/lib/rails/gem_dependency.rb:78.

It seems that you may solve this by updating your bundler gem (gem update bundler) to the latest version but I found that I had to downgrade the rubygems version in that gemset to version 1.6.2  (gem update --system 1.6.2) to get rid of the message.