[SECURITY] AutoForme 1.9.1 Released #34
Replies: 1 comment
-
Google Group Date: Mon, 22 Jul 2019 11:43:02 -0700 On Monday, July 22, 2019 at 11:41:34 AM UTC-7, Jeremy Evans wrote:
These dates should be 7/22/2019, not 9/22/2019. Thanks, |
Beta Was this translation helpful? Give feedback.
-
Google Group Post: https://groups.google.com/g/ruby-forme/c/U99YFD1EJnY
Google Group Date: Mon, 22 Jul 2019 11:41:34 -0700
Google Group Sender: jeremy...@gmail.com
AutoForme 1.9.1 has been released. Only a single, security-related change
in this release:
Escape object display name when displaying association links, bump
version to 1.9.1
Previously, the object display name was escaped in other cases, but
was not escaped when displaying association links, leading to the
possibility of XSS when the associations_links setting is used (this
setting is not used by default).
Security Release Timeline:
9/22/2019 ~7:55am: Disclosure of security vulnerability by adam12, who also
provided a patch.
9/22/2019 ~8:20am: Patch committed with regression tests.
9/22/2019 ~11:40am: 1.9.1 gem released, patch pushed to GitHub, release
announcement posted.
Thanks,
Jeremy
Beta Was this translation helpful? Give feedback.
All reactions