An SQL injection vulnerability in the quote_table_name method could allow malicious users to inject arbitrary SQL into a query [1]. This is corrected in upstream 3.0.10, 2.3.13, and 3.1.0rc5 versions. Patches are available in the advisory [1] and in git [2]. [1] http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b [2] https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85
This flaw is in rubygem-activerecord, not rubygem-rails.
Created rubygem-activerecord tracking bugs for this issue Affects: fedora-all [bug 731452] Affects: epel-5 [bug 731453]
This issue has been assigned the name CVE-2011-2930: http://www.openwall.com/lists/oss-security/2011/08/19/11