The site behind https://software.opensuse.org. It is the default web interface to download openSUSE distributions and to search for OBS packages. Packaged at https://build.opensuse.org/project/show/openSUSE:infrastructure:software.opensuse.org
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
The redirect_to method in Rails allows provided values to contain characters
which are not legal in an HTTP header value. This results in the potential for
downstream services which enforce RFC compliance on HTTP response headers to
remove the assigned Location header. This vulnerability has been assigned the
CVE identifier CVE-2023-28362.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be
delivered on the now static redirection page. Note that this both requires
user interaction and for a Rails app to be configured to allow redirects to
external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the redirect_to
method.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ rails (7.0.5 → 7.0.5.1) · Repo
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to✳️ minitest (5.18.0 → 5.18.1) · Repo · Changelog
Release Notes
5.18.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
prepped for releaseRemoved 2.6 from CI.- Avoid extra string allocations when filtering tests. (tenderlove)- Only mention deprecated ENV['N'] if it is an integer string.- Push up test_order to Minitest::Runnable to fix minitest/hell. (koic)Use minitest organization in links (hsbt)updated dates / versions in rails faq↗️ actioncable (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ actionmailbox (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
↗️ actionmailer (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ actionpack (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Security Advisories 🚨
🚨 Possible XSS via User Supplied Values to redirect_to
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ actiontext (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ actionview (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ activejob (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ activemodel (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ activerecord (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ activestorage (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ activesupport (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ i18n (indirect, 1.13.0 → 1.14.1) · Repo · Changelog
Release Notes
1.14.1
1.14.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 24 commits:
Bump to 1.14.1Merge pull request #666 from amatsuda/checkout_v3Fix build warnings in the CI by using actions/checkout@v3Merge pull request #665 from amatsuda/ci_ruby32CI against Ruby 3.2Merge pull request #659 from mark-a/mark-a-fallback-docMerge pull request #662 from amatsuda/default_empty_arrayMerge pull request #663 from amatsuda/fix_rails_edge_ciMerge pull request #664 from amatsuda/skip_jruby_rails52Skip CIing on jruby against Rails 5.2Read AS MemoryStore value via public APISimplify the "Translation missing" message when default is an empty ArrayBump version to 1.14.0Merge pull request #656 from tubaxenor/fix-locale-with-separatorRevert normalized_keys before #651Merge remote-tracking branch 'upstream/prep-1-1-4' into fix-locale-with-separatorCorrect translation missing assertionsRevert "make sure I18n.fallbacks updates itself"Correct translation missing checksAdd documentation hint for fallback valuesFix I18n.t when locale contains separatorMerge pull request #653 from yheuhtozr/patch-1Merge pull request #654 from Nerian/add-options-to-missing-trabslation-messageMerge pull request #655 from ccutrer/lazy-loadable-duplicate-available-locales↗️ net-imap (indirect, 0.3.4 → 0.3.6) · Repo
Release Notes
0.3.6
0.3.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 10 commits:
Bump version to 0.3.6🔖 Bump version to 0.3.5🐛 Fix XOAUTH2 authenticator for ruby 2.6✅ Fix decode utf-7 test for ruby 2.6Decode UTF-7 more strictly⬇️ Continue testing 0.3.x branch against ruby 2.6Use reusing workflow✅ Add RFC3454 data, to support offline testingAdds Ruby 3.2 to the CI matrix.📚 Fix #response documentation error↗️ railties (indirect, 7.0.5 → 7.0.5.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 3 commits:
Preparing for 7.0.5.1 releaseupdate changelogAdded check for illegal HTTP header value in redirect_to↗️ timeout (indirect, 0.3.2 → 0.4.0) · Repo
Release Notes
0.4.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
Bump up v0.4.0Raise exception instead of throw/catch for timeouts (#30)Move gemspec files to top of lib directory.Merge pull request #31 from nobu/test-unit-ruby-coreUse released version of test-unit-ruby-coreMerge pull request #29 from ruby/update-test-lib-20230324Update test libraries from https://github.com/ruby/ruby/commit/b4e438d8aabaf4bba2b27f374c787543fae07c58Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands