The Rails developers have released Ruby on Rails 3.0.20 and 2.3.16 which contain one, and only one, "extremely critical security fix". The problem only affects Rails 3.0.x and 2.3.x with Rails 3.1.x and 3.2.x not affected. Users of the 2.3 and 3.0 branches are advised to update as soon as possible, or to apply patches if they cannot upgrade. If they cannot do that either, a workaround of setting
ActiveSupport::JSON.backend = "JSONGem"
in the application's initialisation code will, at least, prevent the vulnerable code from being called.
The problem is related to the flaw discovered earlier this month where the XML formatted parameters could include YAML serialised data which, when deserialised, would create live objects within the server which could be used to exploit it. The exploit went wild quickly and a number of servers were compromised.
Continued : http://www.h-online.com/security/news/item/Rails-developers-close-another-extremely-critical-flaw-1793511.html
Also: Some Versions of Ruby on Rails Vulnerable to New Parsing Attack
See Vulnerabilities & Fixes: Ruby on Rails JSON Parser YAML Handling Vulnerability
CNET bought a house!
Take a look inside the house where we will be testing connected locks, thermostats and other smart home products so we can tell a complete story.