Engine Yard Blog RSS Feed

If you are using Ruby on Rails 2.3.1 or 2.3.2, using http digest authentication and setting the username / password via hash, then you will be affected by this vulnerability. This vulnerability allows users to bypass http authentication without a valid password.

Please read the full posting on the Rails Security Group for more details and the appropriate workaround to implement in your code, until the official fix is available in the 2.3.3 release.

(Engine Yard customers have already been contacted via email about this vulnerability).


Tagged:

comments powered by Disqus