This repository was archived by the owner on May 29, 2024. It is now read-only.
Fff bump ruby and rails #90
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Why: So it's on the same version as everything else
CVE-2021-22880 high severity Vulnerable versions: >= 6.0.0, <= 6.0.3.4 Patched version: 6.0.3.5 The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input. GHSA-cfjv-5498-mph5 moderate severity Vulnerable versions: >= 6.0.0.0, <= 6.0.3.2 Patched version: 6.0.3.3 There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the t and translate helpers could be susceptible to XSS attacks. CVE-2020-8167 moderate severity Vulnerable versions: >= 6.0.0, <= 6.0.3 Patched version: 6.0.3.1 There is an vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. Versions Affected: rails <= 6.0.3 Not affected: Applications which don't use rails-ujs. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 CVE-2020-8162 low severity Vulnerable versions: >= 6.0.0, <= 6.0.3 Patched version: 6.0.3.1 There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user. Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1 Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 CVE-2020-8165 high severity Vulnerable versions: >= 6.0.0, <= 6.0.3 Patched version: 6.0.3.1 In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the raw: true parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like: data = cache.fetch("demo", raw: true) { untrusted_string } Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 CVE-2020-8264 moderate severity Vulnerable versions: >= 6.0.0, <= 6.0.3.3 Patched version: 6.0.3.4 In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware. CVE-2021-22881 moderate severity Vulnerable versions: >= 6.0.0, <= 6.0.3.4 Patched version: 6.0.3.5 The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website. CVE-2020-8185 low severity Vulnerable versions: >= 6.0.0, <= 6.0.3.1 Patched version: 6.0.3.2 There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-8185. Versions Affected: 6.0.0 < rails < 6.0.3.2 Not affected: Applications with config.action_dispatch.show_exceptions = false (this is not a default setting in production) Fixed Versions: rails >= 6.0.3.2
GHSA-x7jg-6pwg-fx5h high severity Vulnerable versions: >= 4.0.0, < 4.3.4 Patched version: 4.3.4 Impact By using an invalid transfer-encoding header, an attacker could smuggle an HTTP response. GHSA-w64w-qqph-5gxm moderate severity Vulnerable versions: >= 4.0.0, < 4.3.5 Patched version: 4.3.5 Impact This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are many Dependabot (security) alerts. This PR should clean up all but one, which has more complicated fix.