Ruby on Rails developers issued a patch for a SQL Injection flaw.
According to Akamai, the two vulnerabilities affect Rails applications that use PostgreSQL as a database system. The Rails developers released versions 3.2.19, 4.0.7 and 4.1.3 of the framework, and advised users to upgrade as soon as possible. Hours later they released versions 4.0.8 and 4.1.4 to fix a regression caused by the 4.0.7 and 4.1.3 updates. One of the two SQL injection vulnerabilities affects applications running on Rails 2.0.0 to 3.2.18 that also use the PostgreSQL database system and query bit string data types. The second vulnerability affects applications running on Rails 4.0.0 to 4.1.2 when using PostgreSQL and querying range data types.
Despite affecting different versions, the two flaws are related and both allow attackers to inject arbitrary SQL code into queries using specially crafted values.
