Forums/Studios News/Announcements

Urgent Mingle Release Available Now - Rails' JSON Parsing (2)

Suzie Prince
posted this on Feb 01 10:24

Hi all

Following the announcement of a security vulnerability related to Rails' default XML parsing, it was discovered that similar exploits are present in Rails' default JSON parsing*. Mingle uses Rails as its web application framework. Given the potential impact of this vulnerability we have made a priority release available. Download this release now (Mingle Server 12.4.2 Windows, Mingle Server 12.4.2 Linux, Mingle Server 12.4.2 Mac OSX).

We recommend upgrading your version of Mingle immediately. If an immediate upgrade is not possible, and your instance is available on the public internet then we recommend that you disable public access until your instance has been upgraded.

If you use a Mingle instance that is hosted by ThoughtWorks we will apply the fix for you immediately. No further action is needed on your part.

If you have any questions about the security issue or upgrading please contact Customer Support on our website: http://www.thoughtworks-studios.com/support.

Thank you

- Mingle Team

* Vulnerability Note VU#628463: Ruby on Rails 3.0 and 2.3 JSON Parser vulnerability (http://www.kb.cert.org/vuls/id/628463)
 

Comments latest first

User photo
Melissa Doerken
Thoughtworks

Hi Donal,


Yes, you are correct. 13.2 includes this and other fixes. Check out our post on the latest Rails vulnerability issues affecting Mingle.


And great to hear you're upgrading so quickly! We'd love to know how the new editor works for you.


Cheers,

Melissa

March 27, 2013 18:05
User photo
Donal Henry
Turner Services

We are currently on 13.1.1 and plan to upgrade to 13.2 tomorrow.  I'm assuming that these security fixes are in these later versions.  Is this correct?

March 27, 2013 11:05
User photo
Melissa Doerken
Thoughtworks

Hi everyone,

 

To keep up to date on related issues, check out our post on the Latest Rails Vulnerability Issues Affecting Mingle.

 

Thanks,

Melissa

March 27, 2013 10:49
User photo
Suzie Prince
Thoughtworks

Hi Alex

Yes, everyone on any version of Mingle will need to upgrade. You can find upgrade instructions in our help and can contact our support team for assistance. 

Thanks

- Suzie 

February 01, 2013 13:18
User photo
Alex Sorokorensky
ORHP (Old Republic Home Protection)

We are running Mingle 3.5.1. Do we still need the patch?

February 01, 2013 12:34
Add a comment