Bumps railties from 5.2.2 to 5.2.2.1. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/railties/CVE-2019-5420.yml).*
> **Possible Remote Code Execution Exploit in Rails Development Mode**
> There is a possible a possible remote code executing exploit in Rails when in
> development mode. This vulnerability has been assigned the CVE identifier
> CVE-2019-5420.
>
> Versions Affected: 6.0.0.X, 5.2.X.
> Not affected: None.
> Fixed Versions: 6.0.0.beta3, 5.2.2.1
>
> Impact
> ------
> With some knowledge of a target application it is possible for an attacker to
> guess the automatically generated development mode secret token. This secret
> token can be used in combination with other Rails internals to escalate to a
> remote code execution exploit.
>
> All users running an affected release should either upgrade or use one of the
> workarounds immediately.
>
> Releases
> --------
> ... (truncated)
>
> Patched versions: \~> 5.2.2, >= 5.2.2.1; >= 6.0.0.beta3
> Unaffected versions: none
*Sourced from The GitHub Security Advisory Database.*
> **Moderate severity vulnerability that affects railties**
> # Possible Remote Code Execution Exploit in Rails Development Mode
>
> Impact
> ------
> With some knowledge of a target application it is possible for an attacker to
> guess the automatically generated development mode secret token. This secret
> token can be used in combination with other Rails internals to escalate to a
> remote code execution exploit.
>
> All users running an affected release should either upgrade or use one of the
> workarounds immediately.
>
> Releases
> --------
> The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations.
>
> Workarounds
> -----------
> This issue can be mitigated by specifying a secret key in development mode.
> In "config/environments/development.rb" add this:
> ... (truncated)
>
> Affected versions: >= 5.2.0, <= 5.2.2
Changelog
*Sourced from [railties's changelog](https://github.com/rails/rails/blob/v5.2.2.1/railties/CHANGELOG.md).*
> ## Rails 5.2.2.1 (March 11, 2019) ##
>
> * No changes.
Commits
- [`e69ff43`](https://github.com/rails/rails/commit/e69ff43060c1194d2a3bd9b8d9e23f3ae26b84b5) Prep release
- [`7f5ccda`](https://github.com/rails/rails/commit/7f5ccda38bfecbe0bf00f15e5b8f5e40d52ab3f1) Fix possible dev mode RCE
- [`d7fac9c`](https://github.com/rails/rails/commit/d7fac9c09a535ec7f11bb9aa8addb4af37b7d4b5) Only accept formats from registered mime types
- See full diff in [compare view](https://github.com/rails/rails/compare/v5.2.2...v5.2.2.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps railties from 5.2.2 to 5.2.2.1. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/railties/CVE-2019-5420.yml).* > **Possible Remote Code Execution Exploit in Rails Development Mode** > There is a possible a possible remote code executing exploit in Rails when in > development mode. This vulnerability has been assigned the CVE identifier > CVE-2019-5420. > > Versions Affected: 6.0.0.X, 5.2.X. > Not affected: None. > Fixed Versions: 6.0.0.beta3, 5.2.2.1 > > Impact > ------ > With some knowledge of a target application it is possible for an attacker to > guess the automatically generated development mode secret token. This secret > token can be used in combination with other Rails internals to escalate to a > remote code execution exploit. > > All users running an affected release should either upgrade or use one of the > workarounds immediately. > > Releases > -------- > ... (truncated) > > Patched versions: \~> 5.2.2, >= 5.2.2.1; >= 6.0.0.beta3 > Unaffected versions: none *Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects railties** > # Possible Remote Code Execution Exploit in Rails Development Mode > > Impact > ------ > With some knowledge of a target application it is possible for an attacker to > guess the automatically generated development mode secret token. This secret > token can be used in combination with other Rails internals to escalate to a > remote code execution exploit. > > All users running an affected release should either upgrade or use one of the > workarounds immediately. > > Releases > -------- > The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations. > > Workarounds > ----------- > This issue can be mitigated by specifying a secret key in development mode. > In "config/environments/development.rb" add this: > ... (truncated) > > Affected versions: >= 5.2.0, <= 5.2.2Changelog
*Sourced from [railties's changelog](https://github.com/rails/rails/blob/v5.2.2.1/railties/CHANGELOG.md).* > ## Rails 5.2.2.1 (March 11, 2019) ## > > * No changes.Commits
- [`e69ff43`](https://github.com/rails/rails/commit/e69ff43060c1194d2a3bd9b8d9e23f3ae26b84b5) Prep release - [`7f5ccda`](https://github.com/rails/rails/commit/7f5ccda38bfecbe0bf00f15e5b8f5e40d52ab3f1) Fix possible dev mode RCE - [`d7fac9c`](https://github.com/rails/rails/commit/d7fac9c09a535ec7f11bb9aa8addb4af37b7d4b5) Only accept formats from registered mime types - See full diff in [compare view](https://github.com/rails/rails/compare/v5.2.2...v5.2.2.1)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.