The site behind https://software.opensuse.org. It is the default web interface to download openSUSE distributions and to search for OBS packages. Packaged at https://build.opensuse.org/project/show/openSUSE:infrastructure:software.opensuse.org
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
The redirect_to method in Rails allows provided values to contain characters
which are not legal in an HTTP header value. This results in the potential for
downstream services which enforce RFC compliance on HTTP response headers to
remove the assigned Location header. This vulnerability has been assigned the
CVE identifier CVE-2023-28362.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be
delivered on the now static redirection page. Note that this both requires
user interaction and for a Rails app to be configured to allow redirects to
external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the redirect_to
method.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ rails (7.0.5 → 7.0.5.1) · Repo
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
✳️ minitest (5.18.0 → 5.18.1) · Repo · Changelog
Release Notes
5.18.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
prepped for release
Removed 2.6 from CI.
- Avoid extra string allocations when filtering tests. (tenderlove)
- Only mention deprecated ENV['N'] if it is an integer string.
- Push up test_order to Minitest::Runnable to fix minitest/hell. (koic)
Use minitest organization in links (hsbt)
updated dates / versions in rails faq
↗️ actioncable (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ actionmailbox (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
↗️ actionmailer (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ actionpack (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Security Advisories 🚨
🚨 Possible XSS via User Supplied Values to redirect_to
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ actiontext (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ actionview (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ activejob (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ activemodel (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ activerecord (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ activestorage (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ activesupport (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ i18n (indirect, 1.13.0 → 1.14.1) · Repo · Changelog
Release Notes
1.14.1
1.14.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 24 commits:
Bump to 1.14.1
Merge pull request #666 from amatsuda/checkout_v3
Fix build warnings in the CI by using actions/checkout@v3
Merge pull request #665 from amatsuda/ci_ruby32
CI against Ruby 3.2
Merge pull request #659 from mark-a/mark-a-fallback-doc
Merge pull request #662 from amatsuda/default_empty_array
Merge pull request #663 from amatsuda/fix_rails_edge_ci
Merge pull request #664 from amatsuda/skip_jruby_rails52
Skip CIing on jruby against Rails 5.2
Read AS MemoryStore value via public API
Simplify the "Translation missing" message when default is an empty Array
Bump version to 1.14.0
Merge pull request #656 from tubaxenor/fix-locale-with-separator
Revert normalized_keys before #651
Merge remote-tracking branch 'upstream/prep-1-1-4' into fix-locale-with-separator
Correct translation missing assertions
Revert "make sure I18n.fallbacks updates itself"
Correct translation missing checks
Add documentation hint for fallback values
Fix I18n.t when locale contains separator
Merge pull request #653 from yheuhtozr/patch-1
Merge pull request #654 from Nerian/add-options-to-missing-trabslation-message
Merge pull request #655 from ccutrer/lazy-loadable-duplicate-available-locales
↗️ net-imap (indirect, 0.3.4 → 0.3.6) · Repo
Release Notes
0.3.6
0.3.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 10 commits:
Bump version to 0.3.6
🔖 Bump version to 0.3.5
🐛 Fix XOAUTH2 authenticator for ruby 2.6
✅ Fix decode utf-7 test for ruby 2.6
Decode UTF-7 more strictly
⬇️ Continue testing 0.3.x branch against ruby 2.6
Use reusing workflow
✅ Add RFC3454 data, to support offline testing
Adds Ruby 3.2 to the CI matrix.
📚 Fix #response documentation error
↗️ railties (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 release
update changelog
Added check for illegal HTTP header value in redirect_to
↗️ timeout (indirect, 0.3.2 → 0.4.0) · Repo
Release Notes
0.4.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
Bump up v0.4.0
Raise exception instead of throw/catch for timeouts (#30)
Move gemspec files to top of lib directory.
Merge pull request #31 from nobu/test-unit-ruby-core
Use released version of test-unit-ruby-core
Merge pull request #29 from ruby/update-test-lib-20230324
Update test libraries from https://github.com/ruby/ruby/commit/b4e438d8aabaf4bba2b27f374c787543fae07c58
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands