search

richardvenneman / trestle-active_storage

⛩ ActiveStorage integration plugin for the Trestle admin framework
MIT License
29 stars 36 forks source link

[Security] Bump activerecord from 6.0.3.4 to 6.1.2.1 #88

Closed dependabot-preview[bot] closed 3 years ago

dependabot-preview[bot] commented 3 years ago

Bumps activerecord from 6.0.3.4 to 6.1.2.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Possible DoS Vulnerability in Active Record PostgreSQL adapter There is a possible DoS vulnerability in the PostgreSQL adapter in Active Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.

Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5

Impact

Carefully crafted input can cause the input validation in the "money" type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Workarounds

In the case a patch can't be applied, the following monkey patch can be used in an initializer:

... (truncated)

Patched versions: ~> 5.2.4.5; ~> 6.0.3.5; >= 6.1.2.1 Unaffected versions: < 4.2.0

Release notes

Sourced from activerecord's releases.

6.1.2.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • Fix possible DoS vector in PostgreSQL money type

    Carefully crafted input can cause a DoS via the regular expressions used for validating the money format in the PostgreSQL adapter. This patch fixes the regexp.

    Thanks to @dee-see from Hackerone for this patch!

    [CVE-2021-22880]

    Aaron Patterson

Action View

  • No changes.

Action Pack

  • Prevent open redirect when allowed host starts with a dot

    [CVE-2021-22881]

    Thanks to @tktech (https://hackerone.com/tktech) for reporting this issue and the patch!

    Aaron Patterson

Active Job

... (truncated)

Changelog

Sourced from activerecord's changelog.

Rails 6.1.2.1 (February 10, 2021)

  • Fix possible DoS vector in PostgreSQL money type

    Carefully crafted input can cause a DoS via the regular expressions used for validating the money format in the PostgreSQL adapter. This patch fixes the regexp.

    Thanks to @dee-see from Hackerone for this patch!

    [CVE-2021-22880]

    Aaron Patterson

Rails 6.1.2 (February 09, 2021)

  • Fix timestamp type for sqlite3.

    Eileen M. Uchitelle

  • Make destroy async transactional.

    An active record rollback could occur while enqueuing a job. In this case the job would enqueue even though the database deletion rolledback putting things in a funky state.

    Now the jobs are only enqueued until after the db transaction has been committed.

    Cory Gwin

  • Fix malformed packet error in MySQL statement for connection configuration.

    robinroestenburg

  • Connection specification now passes the "url" key as a configuration for the adapter if the "url" protocol is "jdbc", "http", or "https". Previously only urls with the "jdbc" prefix were passed to the Active Record Adapter, others are assumed to be adapter specification urls.

    Fixes #41137.

    Jonathan Bracy

  • Fix granular connection swapping when there are multiple abstract classes.

    Eileen M. Uchitelle

  • Fix find_by with custom primary key for belongs_to association.

... (truncated)

Commits
  • 130c128 Preparing for 6.1.2.1 release
  • 536503d Fix possible DoS vector in PostgreSQL money type
  • bf8c59c Preparing for 6.1.2 release
  • eeb5baa Merge pull request #41342 from kamipo/fix_build_on_association_relation
  • d1fd637 Merge pull request #41324 from eileencodes/fix-timestamp-type-for-sqlite3
  • d4907b7 Merge pull request #41292 from intrip/41156-fix-mysql-virtual-column-with-esc...
  • 3813021 Fix enum predicate methods on object enum keys
  • 438b50d A -> An [ci skip]
  • d013946 Add CHANGELOG entry for #41093 [ci skip]
  • b801005 Merge pull request #41093 from gwincr11/action-job-transactions
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If all status checks pass Dependabot will automatically merge this pull request during working hours.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

⚠️ Dependabot won't automerge this PR as it didn't detect CI on it ⚠️

You have automerging enabled for this repo but Dependabot didn't detect any CI statuses or checks. You can disable automerging on this repo from here.

dependabot-preview[bot] commented 3 years ago

Superseded by #92.