Two vulnerabilities fixed in Rails 2.3.4

Rails version 2.3.4 has been released to fix two vulnerabilities.

  • A timing weakness in the ClientCookieStore. Rails version 2.1.0 and all subsequent versions are affected. Detailed information can be found here.
  • And a XSS vulnerability in the way Rails handles Unicode. This affects all versions in the Rails 2 branch, but not applications running with Ruby 1.9.

Upgrade to version 2.3.4 now, or apply a patch (available on the pages linked above).