Spree Commerce

Try It Now

Important Security Updates (Oct. 2011)

Posted on October 24, 2011 by Sean Schofield

Over the past several weeks there have been several important security updates to Rails as well as Spree. The most recent Spree security announcement describes a critical vulnerability that affects all but the very latest versions of Spree. All affected users are advised to upgrade immediately.

We have also implemented a new mechanism to inform Spree developers and store owners of potential security threats before they are announced on the mailing list. We have created an alerts feature that will perform an automated check against your version of Rails and Spree and inform you of any potential security problems. We believe this feature is so important that we’ve gone back and implemented it for previous versions of Spree as well.

Please consult the following list of scenarios to find out what the recommendations are for your particular version of Spree.

Edge/Master

No action required.

0.70.1

No action required.

0.70.0

Its recommended that you update to 0.70.1. There are no known vulnerabilities with 0.70.0 but version 0.70.1 contains the new security alert mechansim to keep you informed of issues in the future.

0.60.3

It is recommended that you update to 0.60.4. The are no security issues with Spree itself but this version of Spree does use a version of Rails that is considered to be insecure. By updating this verison of Spree you will move to the more secure Rails 3.0.10.

0.60.0 – 0.60.2

It is recommended that you update to 0.60.4. These versions of Spree have a critical vulnerability and they are also using insecure versions of Rails.

0.50.0 – 0.50.3

It is recommended that you update to 0.50.4 at a minimum. This will address a critical vulnerability in Spree but will still leave possible issues with the version of Rails. You should consider updating to Spree 0.60.4 which will also address the Rails security issues by updating you to Rails 3.0.10.

0.40.0 – 0.40.3

It is recommended that you update to 0.40.4 at a minimum. This will address a critical vulnerability in Spree but will still leave possible issues with the version of Rails. You should consider updating to Spree 0.60.4 which will also address the Rails security issues by updating you to Rails 3.0.10.

0.30.0 – 0.30.1

It is recommended that you update to 0.30.2 at a minimum. This will address a critical vulnerability in Spree but will still leave possible issues with the version of Rails. You should consider updating to Spree 0.60.4 which will also address the Rails security issues by updating you to Rails 3.0.10.

0.11.0 – 0.11.2

It is recommended that you update to 0.11.3. This will address a critical vulnerability in Spree and will also address issues with older versions of Rails that contain security problems. After upgrading you will be moved to the more secure Rails 2.3.14.

Versions prior to 0.11.0

Recommended that you update to 0.11.3