An vulnerability affecting the
json gem has been found. A detailed explanation can be found at the Rails security mailing list.
This is not an isolated Rails issue, as it affects a third-party library. It affects all users of the
json gem. This gem might be pulled in as a dependency of other libraries in use. You can check whether you application uses the
json gem by running:
We strongly urge all users of Padrino to upgrade their applications using:
bundle update json
to at least: 1.7.7, 1.6.8, 1.5.5.
Also, never use
JSON.parse, except when you really know what you are doing.
All Rack users, including all Padrino users, should upgrade their Rack dependency as soon as possible. Multiple severe issues have been found, one of them including a potential remote code execution. This is espcially important if you are using Rack::Session::Cookie, which Padrino activates by default. See the Rack website for details.
To upgrade, use:
bundle update rack
And make sure that you installed any of these versions: 1.5.2, 1.4.5, 1.3.10, 1.2.8, 1.1.6.