Skip to content
This repository has been archived by the owner on Dec 2, 2020. It is now read-only.

CVE-2015-7576 #88

Closed
hubot opened this issue Jan 27, 2016 · 0 comments
Closed

CVE-2015-7576 #88

hubot opened this issue Jan 27, 2016 · 0 comments
Assignees
@jacobbednarz
Labels
Security

Comments

@hubot
Copy link

hubot commented Jan 27, 2016

Heaven detected that rails is not >= 5.0.0.beta1.1, ~> 3.2.22.1, ~> 4.1.14.1, ~> 4.2.5.1

Your Gemfile.lock on the master branch currently is 3.2.22.

Can you folks fix this up? 💞

/cc https://github.com/github/security/issues/1363
@hubot hubot added the Security label Jan 27, 2016
@jacobbednarz jacobbednarz self-assigned this Jan 27, 2016
jacobbednarz added a commit that referenced this issue Jan 27, 2016
@jacobbednarz
Bump rails to 3.2.22.1
63d54a9 
Upgrades rails to 3.2.22.1 to address the following CVE's:

- CVE-2015-7576: Timing attack vulnerability in basic authentication in Action
  Controller.
- CVE-2016-0751: Possible Object Leak and Denial of Service attack in Action
  Pack
- CVE-2015-7577: Nested attributes rejection proc bypass in Active Record.
- CVE-2016-0752: Possible Information Leak Vulnerability in Action View
- CVE-2016-0753: Possible Input Validation Circumvention in Active Model
- CVE-2015-7581: Object leak vulnerability for wildcard controller routes in
  Action Pack

Full changelog: rails/rails@v3.2.22...v3.2.22.1

Fixes #88, #87, #86 and #85.
@jacobbednarz jacobbednarz mentioned this issue Jan 27, 2016
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jacobbednarz jacobbednarz

Labels
Security
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jacobbednarz @hubot