Ruby on Rails security updates address SQL injection flaw