Hi everybody. I’d like to announce that Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 have been released with a security patch. Upgrade immediately unless you are using PostgreSQL or SQLite3. Users of all other databases (including NoSQL ones) require immediate upgrade. Using a specially crafted request, an attacker could trick the database type conversion code to … »

Note: Devise 1.1.6 broke compatibility with Rails versions prior to 3.0.4, this has been fixed on Devise 1.1.7. Devise 1.1.6 has just been released and it follows Rails 3.0.4 release. Rails 3.0.4 changes how CSRF works and adds a new method called handle_unverified_request that should be properly overridden by authentication frameworks. Devise 1.1.6 implements this … »

There is a vulnerability in Devise source code that allows someone to steal your session through session fixation attacks. Who is affected? This vulnerability is present in all Devise versions, in both 1.0 and 1.1 branches. However, you are only affected if you are using a Active Record ou Memcached or other server persistent session … »