A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in Ruby on Rails, but I think we missed reporting on it (thanks to one of our readers for pointing this out). Updates that resolve this are: 3.2.10, 3.1.9, and 3.0.18
Because of the security profile of Ruby on Rails (the largest Ruby project around is one you should be familiar with - Metasploit), any security issues should be taken seriously. However, the hype and hoopla that any site with RoR code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear sql injection and (mistakenly as far as I can see) send it to the headline page.
A very complete explanation of the scenarios that are at issue are outlined in this here:
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
and here:
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
Additional issues (CVE-2013-0155 and CVE-2013-0156) are resolved in these new releases also.
Update:
Thanks Ariel for pointing out that theyve updated the original patch (just yesterday) with new RoR versions 3.2.11, 3.1.10, 3.0.19, and 2.3.15. All previous versions should be considered vulnerable. Theyre also ratcheting up the urgency in the language around this issue - perhaps theres a bit more of a problem here than originally thought?
You can follow the official revision history at: http://weblog.rubyonrails.org/releases/
===============
Rob VandenBrink
Metafore
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.