Update rails due to security vulnerabilities #319

CaraHill · 2020-05-20T02:43:17Z

This update fixes the following security vulnerabilities:
Name: actionpack
Version: 6.0.2.2
Advisory: CVE-2020-8166
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 6.0.2.2
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 6.0.2.2
Advisory: CVE-2020-8167
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: activestorage
Version: 6.0.2.2
Advisory: CVE-2020-8162
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
Title: Circumvention of file size limits in ActiveStorage
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: activesupport
Version: 6.0.2.2
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Update rails due to security vulnerabilities

7d6f6cc

CaraHill requested review from G-Rath and JacobBriggsAckama May 20, 2020 02:43

JacobBriggsAckama approved these changes May 20, 2020

View reviewed changes

CaraHill merged commit cf31d39 into master May 20, 2020

CaraHill deleted the security-updates-CVE-2020-8162-CVE-2020-8164-CVE-2020-8165-CVE-2020-8166-CVE-2020-8167 branch May 20, 2020 21:56

G-Rath mentioned this pull request May 21, 2020

Master -> production #320

Merged

Provide feedback