search

J3RN / time-tracker

A time tracking application
http://timesheet.j3rn.com
MIT License
6 stars 14 forks source link

[Security] Bump rails from 5.1.6 to 5.1.7 #164

Closed dependabot-preview[bot] closed 5 years ago

dependabot-preview[bot] commented 5 years ago

Bumps rails from 5.1.6 to 5.1.7. This update includes security fixes.

Vulnerabilities fixed *Sourced from The GitHub Security Advisory Database.* > **Critical severity vulnerability that affects actionview** > # Denial of Service Vulnerability in Action View > > Impact > ------ > Specially crafted accept headers can cause the Action View template location > code to consume 100% CPU, causing the server unable to process requests. This > impacts all Rails applications that render views. > > All users running an affected release should either upgrade or use one of the > workarounds immediately. > > Releases > -------- > The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are > available at the normal locations. > > Workarounds > ----------- > This vulnerability can be mitigated by wrapping `render` calls with > `respond_to` blocks. For example, the following example is vulnerable: > ... (truncated) > > Affected versions: >= 5.1.0, <= 5.1.6.1 *Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects actionview** > # File Content Disclosure in Action View > > Impact > ------ > There is a possible file content disclosure vulnerability in Action View. > Specially crafted accept headers in combination with calls to `render file:` > can cause arbitrary files on the target server to be rendered, disclosing the > file contents. > > The impact is limited to calls to `render` which render file contents without > a specified accept format. Impacted code in a controller looks something like > this: > > ``` > class UserController < ApplicationController > def index > render file: "#{Rails.root}/some/file" > end > end > ``` > ... (truncated) > > Affected versions: >= 5.1.0, <= 5.1.6.1 *Sourced from The Ruby Advisory Database.* > **Broken Access Control vulnerability in Active Job** > There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476. > > Impact > ------ > Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have. > > Vulnerable code will look something like this: > > ``` > MyJob.perform_later(user_input) > ``` > > All users running an affected release should either upgrade or use one of the workarounds immediately. > > Patched versions: >= 4.2.11, < 5.0.0; >= 5.0.7.1, < 5.1.0; >= 5.1.6.1, < 5.2.0; >= 5.2.1.1 > Unaffected versions: < 4.2.0
Release notes *Sourced from [rails's releases](https://github.com/rails/rails/releases).* > ## 5.1.7 > ## Active Support > > * No changes. > > > > ## Active Model > > * No changes. > > > > ## Active Record > > * Fix `touch` option to behave consistently with `Persistence#touch` method. > > *Ryuta Kamizono* > > * Back port Rails 5.2 `reverse_order` Arel SQL literal fix. > > *Matt Jones*, *Brooke Kuhlmann* > > * `becomes` should clear the mutation tracker which is created in `after_initialize`. > > Fixes [#32867](https://github-redirect.dependabot.com/rails/rails/issues/32867). > > *Ryuta Kamizono* > > > > ## Action View > > * Fix issue with `button_to`'s `to_form_params` > > `button_to` was throwing exception when invoked with `params` hash that > contains symbol and string keys. The reason for the exception was that > `to_form_params` was comparing the given symbol and string keys. > > The issue is fixed by turning all keys to strings inside > `to_form_params` before comparing them. > > *Georgi Georgiev* > > > ## Action Pack > > * No changes. > > > ... (truncated)
Commits - [`4f66945`](https://github.com/rails/rails/commit/4f66945cd038bda638fc6729e0d54663d0dfbf22) Preparing for 5.1.7 release - [`ce0c4f3`](https://github.com/rails/rails/commit/ce0c4f3c822d75dda3226e92b9fb24f79bbd91d7) Preparing for 5.1.7.rc1 release - [`6e4906b`](https://github.com/rails/rails/commit/6e4906b2f41b81ea058842828dbf606ecfe28b69) Fix announce script - [`c850941`](https://github.com/rails/rails/commit/c8509418488c33724c73575d7b494a5e3eb9cf63) Fix release template - [`98d0f7c`](https://github.com/rails/rails/commit/98d0f7c6193885a9e4e435e7edf33deb684dee00) Fix Gemfile.lock - [`3dafcc1`](https://github.com/rails/rails/commit/3dafcc1f7bfb12587492414f072a2e9e924821dd) Merge branch 'v5-1-6-2' into 5-1-stable - [`ec8697b`](https://github.com/rails/rails/commit/ec8697bf0bfafff7d897fb50e322afe42ddc1623) Prep release - [`92c025d`](https://github.com/rails/rails/commit/92c025d7f17ff256ac50f5e3bc014bb1a016d1ec) Only accept formats from registered mime types - [`b4f39c4`](https://github.com/rails/rails/commit/b4f39c4d450e6e5558fd209ceba8af35f5f3910b) Merge pull request [#35560](https://github-redirect.dependabot.com/rails/rails/issues/35560) from eileencodes/fix-5-1-stable-build - [`faa96dc`](https://github.com/rails/rails/commit/faa96dc2e10ce470bceca666ed183dd7d781fbc3) Merge pull request [#35299](https://github-redirect.dependabot.com/rails/rails/issues/35299) from kamipo/fix_mismatched_foreign_key - Additional commits viewable in [compare view](https://github.com/rails/rails/compare/v5.1.6...v5.1.7)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.