update changelog

rails · May 15, 2020 · 0ad524a · 0ad524a
1 parent 47a8dc3
commit 0ad524a
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 0 deletions.
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
+
+*   [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
+
 ## Rails 6.0.3 (May 06, 2020) ##
 
 *   Include child session assertion count in ActionDispatch::IntegrationTest

diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
@@ -1,3 +1,5 @@
+*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
+
 ## Rails 6.0.3 (May 06, 2020) ##
 
 *   annotated_source_code returns an empty array so TemplateErrors without a

diff --git a/activestorage/CHANGELOG.md b/activestorage/CHANGELOG.md
@@ -1,3 +1,5 @@
+*   [CVE-2020-8162] Include Content-Length in signature for ActiveStorage direct upload
+
 ## Rails 6.0.3 (May 06, 2020) ##
 
 *   No changes.

diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore
+
+*   [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore
+
 ## Rails 6.0.3 (May 06, 2020) ##
 
 *   `Array#to_sentence` no longer returns a frozen string.