I got an email today from Heroku telling me to update an old trial Rails app on 3.0.x because of a security update. My understanding of the vunerability is that due to the way the JSON parser converts to YAML then works through the YAML parser a malicious user can bypass authentication systems and perform SQL actions, bad for a variety of reasons. The Rails community got onto this quickly after it was reported and a patch has been released, if you’re running 3.0.x or anything below that you’ll want to update to 3.0.20 or 2.3.16, a simple `Gem Update Rails ‘3.0.20’` should suffice. There are certain gems that have protected users, if you’ve got an application with YAJL gem installed then you should be safe, however it is still best to update.
The Rails blog also reports that this will be the last update for 3.0 and they will no longer maintain further security problems so if possible I’d recommend updating your app as soon as you can. If you’re unable to update quickly you may be interested in patching your JSON Parser (instructions on the mailing list below).