Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Validate page refresh interval to ensure a minimum amount of delay
- Loading branch information
Showing
2 changed files
with
4 additions
and
1 deletion.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this be backported to 6.x?
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just cherry picked it into the 6-x branch so it'll be in a future 6.5.10 release. No ETA for that.
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CVE seems misleading. This is only client-side validation and nothing is stopping me from making these requests myself, the DoS is still present.
I would think/hope that most already have the dashboard behind a rails constraint or something similar like the build-in enterprise authorization feature.
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any ETA yet on the 6.5.10 release?
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
7.x does not seem to be backwards compatible. This seems like it should merit a prompt release for 6.x.
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mperham Is there still no ETA for this?
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anyone who feels the need for this fix on 6.x, you can pin your Gemfile to the back-ported fix: 101435c
I wouldn't expect a new version to be cut for this specifically. Mike has said that he considers this low severity.
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree. But for those of us who use Github Dependabot (or bundler-audit), this getting flagged as high raises questions and awkward conversations with anyone we need to share the reports with (ie: customers).
Upgrading to 7 will be a large effort for us.
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that it is quite low severity but I have no idea how to tell dependabot that and right now we have dependabot turned off because of this which is dangerous. Perhaps the greater issue here is that v7 is not backwards compatible and the transition guides are incomplete / confusing.
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6.5.10 will be out tomorrow (Monday morning Pacific) and include this CVE fix plus a fix for Rails 7.1.
62c90d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!!