Ruby on Rails is a model-view-controller (MVC) framework for web
application development. Active Record implements object-relational mapping
for accessing database entries using objects.
It was discovered that Active Record did not properly quote values of the
bitstring type attributes when using the PostgreSQL database adapter.
A remote attacker could possibly use this flaw to conduct an SQL injection
attack against applications using Active Record. (CVE-2014-3482)
Red Hat would like to thank the Ruby on Rails project for reporting this
issue. Upstream acknowledges Sean Griffin of thoughtbot as the original
reporter.
All ruby193-rubygem-activerecord users are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.