JSON gem vulnerability

An vulnerability affecting the json gem has been found. A detailed explanation can be found at the Rails security mailing list.

This is not an isolated Rails issue, as it affects a third-party library. It affects all users of the json gem. This gem might be pulled in as a dependency of other libraries in use. You can check whether you application uses the json gem by running:

bundle show

We strongly urge all users of Padrino to upgrade their applications using:

bundle update json

to at least: 1.7.7, 1.6.8, 1.5.5.

Also, never use JSON.load, but JSON.parse, except when you really know what you are doing.

Upgrade Rack immediately

All Rack users, including all Padrino users, should upgrade their Rack dependency as soon as possible. Multiple severe issues have been found, one of them including a potential remote code execution. This is espcially important if you are using Rack::Session::Cookie, which Padrino activates by default. See the Rack website for details.

To upgrade, use:

bundle update rack

And make sure that you installed any of these versions: 1.5.2, 1.4.5, 1.3.10, 1.2.8, 1.1.6.

  • Prev Page
  • Next Page