Skip to content

Security release forward ports to newer branches #53426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 25, 2024
Merged

Security release forward ports to newer branches #53426

merged 4 commits into from
Oct 25, 2024

Conversation

jhawthorn
Copy link
Member

@jhawthorn jhawthorn commented Oct 24, 2024
edited
Loading

This adds the commits from the recent security releases for the main branch. I will also backport this to 8-0-stable.

These aren't a security concern for the 8-0-stable or main branches, as Ruby 3.2, which is now required, runs these regular expressions in linear time. However it's best to keep these branches in sync.

jhawthorn and others added 4 commits October 23, 2024 17:29
@jhawthorn
Avoid backtracking in Token#raw_params
4712a2b 
Thanks to scyoon for the patch

[CVE-2024-47887]
@jhawthorn
Avoid backtracking in filtered_query_string
4d6ce90 
Thanks scyoon for the patch

CVE-2024-41128
@jhawthorn @ooooooo-q
Avoid backtracing in plain_text_for_blockquote_node
032a493 
[CVE-2024-47888]

Co-authored-by: ooooooo_q <ooooooo-q@users.noreply.github.com>
@jhawthorn @makmic
Avoid backtracking in ActionMailer block_format
6fdabdf 
[CVE-2024-47889]

Thanks to yuki_osaki and scyoon for reporting this vulnerability

Co-authored-by: Michael Leimstaedtner <michael.leimstaedtner@makandra.de>
@jhawthorn jhawthorn merged commit acffb99 into rails:main Oct 25, 2024
3 checks passed
jhawthorn added a commit that referenced this pull request Oct 25, 2024
@jhawthorn
Merge pull request #53426 from jhawthorn/security_forward_ports
97c97e3 
Security release forward ports to newer branches
@jhawthorn jhawthorn deleted the security_forward_ports branch October 25, 2024 00:12
@hfsaito hfsaito mentioned this pull request Dec 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
actionmailer actionpack actiontext
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jhawthorn