sequencescape
sequencescape copied to clipboard
sanger
🚨 [security] [ruby] Update rails 6.1.7.8 → 7.0.8.1 (major)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ rails (6.1.7.8 → 7.0.8.1) · Repo
Security Advisories 🚨
🚨 Rails has possible XSS Vulnerability in Action Controller
Possible XSS Vulnerability in Action Controller
There is a possible XSS vulnerability when using the translation helpers
(translate,t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.Versions Affected: >= 7.0.0.
Not affected: < 7.0.0
Fixed Versions: 7.1.3.1, 7.0.8.1Impact
Applications using translation methods like
translate, orton a
controller, with a key ending in "_html", a:defaultkey which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.For example, impacted code will look something like this:
class ArticlesController < ApplicationController def show @message = t("message_html", default: untrusted_input) # The `show` template displays the contents of `@message` end endTo reiterate the pre-conditions, applications must:
- Use a translation function from a controller (i.e. not I18n.t, or
tfrom
a view)- Use a key that ends in
_html- Use a default value where the default value is untrusted and unescaped input
- Send the text to the victim (whether that's part of a template, or a
rendercall)All users running an affected release should either upgrade or use one of the
workarounds immediately.Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
- 7-0-translate-xss.patch - Patch for 7.0 series
- 7-1-translate-xss.patch - Patch for 7.1 series
Credits
Thanks to ooooooo_q for the patch and fix!
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actioncable (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionmailbox (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
↗️ actionmailer (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Security Advisories 🚨
🚨 Possible ReDoS vulnerability in block_format in Action Mailer
There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.
Impact
Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users can avoid calling the
block_formathelper or upgrade to Ruby 3.2Credits
Thanks to ooooooo_q for the report!
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionpack (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Security Advisories 🚨
🚨 Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.
Impact
For applications using HTTP Token authentication via
authenticate_or_request_with_http_tokenor similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users on Ruby 3.2 are unaffected by this issue.
Credits
Thanks to scyoon for reporting
🚨 Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.
Impact
Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users on Ruby 3.2 are unaffected by this issue.
Credits
Thanks to scyoon for the report and patches!
🚨 Rails has possible XSS Vulnerability in Action Controller
Possible XSS Vulnerability in Action Controller
There is a possible XSS vulnerability when using the translation helpers
(translate,t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.Versions Affected: >= 7.0.0.
Not affected: < 7.0.0
Fixed Versions: 7.1.3.1, 7.0.8.1Impact
Applications using translation methods like
translate, orton a
controller, with a key ending in "_html", a:defaultkey which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.For example, impacted code will look something like this:
class ArticlesController < ApplicationController def show @message = t("message_html", default: untrusted_input) # The `show` template displays the contents of `@message` end endTo reiterate the pre-conditions, applications must:
- Use a translation function from a controller (i.e. not I18n.t, or
tfrom
a view)- Use a key that ends in
_html- Use a default value where the default value is untrusted and unescaped input
- Send the text to the victim (whether that's part of a template, or a
rendercall)All users running an affected release should either upgrade or use one of the
workarounds immediately.Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
- 7-0-translate-xss.patch - Patch for 7.0 series
- 7-1-translate-xss.patch - Patch for 7.1 series
Credits
Thanks to ooooooo_q for the patch and fix!
🚨 Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
The
redirect_tomethod in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the
redirect_tomethod.
🚨 ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.
Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
ImpactSpecially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
ReleasesThe FIXED releases are available at the normal locations.
WorkaroundsWe recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious X_FORWARDED_HOST headers before they reach the application.
PatchesTo aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-1-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 6.1 series 7-0-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 7.0 seriesPlease note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
🚨 ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
ReleasesThe FIXED releases are available at the normal locations.
WorkaroundsWe recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.
Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
PatchesTo aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series 7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 seriesPlease note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
🚨 Open Redirect Vulnerability in Action Pack
There is a vulnerability in Action Controller’s redirect_to. This vulnerability has been assigned the CVE identifier CVE-2023-22797.
Versions Affected: >= 7.0.0 Not affected: < 7.0.0 Fixed Versions: 7.0.4.1
ImpactThere is a possible open redirect when using the redirect_to helper with untrusted user input.
Vulnerable code will look like this:
redirect_to(params[:some_param])Rails 7.0 introduced protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could be bypassed by a carefully crafted URL.
All users running an affected release should either upgrade or use one of the workarounds immediately.
ReleasesThe FIXED releases are available at the normal locations.
WorkaroundsThere are no feasible workarounds for this issue.
PatchesTo aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
7-0-Fix-sec-issue-with-_url_host_allowed.patch - Patch for 7.0 seriesPlease note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
🚨 Cross-site Scripting Vulnerability in Action Pack
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1Impact
CSP headers were only sent along with responses that Rails considered as
"HTML" responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.Releases
The FIXED releases are available at the normal locations.
Workarounds
Set a CSP for your API responses manually.
🚨 Exposure of information in Action Pack
Impact
Under certain circumstances response bodies will not be closed, for example a bug in a webserver or a bug in a Rack middleware. In the event a response is not notified of a
close,ActionDispatch::Executorwill not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting withActiveSupport::CurrentAttributes.Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.
Patches
This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
Workarounds
Upgrading is highly recommended, but to work around this problem the following middleware can be used:
class GuardedExecutor < ActionDispatch::Executor def call(env) ensure_completed! super endprivate
<span class="pl-k">def</span> <span class="pl-en">ensure_completed!</span> <span class="pl-c1">@executor</span><span class="pl-kos">.</span><span class="pl-en">new</span><span class="pl-kos">.</span><span class="pl-en">complete!</span> <span class="pl-k">if</span> <span class="pl-c1">@executor</span><span class="pl-kos">.</span><span class="pl-en">active?</span> <span class="pl-k">end</span>end
# Ensure the guard is inserted before ActionDispatch::Executor Rails.application.configure do config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor end
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actiontext (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Security Advisories 🚨
🚨 Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.
Impact
Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users can avoid calling
plain_text_for_blockquote_nodeor upgrade to Ruby 3.2Credits
Thanks to ooooooo_q for the report!
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionview (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Security Advisories 🚨
🚨 rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements
NOTE: rails-ujs is part of Rails/actionview since 5.1.0.
There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to
occur when pasting malicious HTML content from the clipboard that
includes a data-method, data-remote or data-disable-with attribute.This vulnerability has been assigned the CVE identifier CVE-2023-23913.
Not affected: < 5.1.0
Versions Affected: >= 5.1.0
Fixed Versions: 6.1.7.3, 7.0.4.3Impact
If the specified malicious HTML clipboard content is provided to a
contenteditable element, this could result in the arbitrary execution
of javascript on the origin in question.Releases
The FIXED releases are available at the normal locations.Workarounds
We recommend that all users upgrade to one of the FIXED versions.
In the meantime, users can attempt to mitigate this vulnerability
by removing the contenteditable attribute from elements in pages
that rails-ujs will interact with.Patches
To aid users who aren’t able to upgrade immediately we have provided
patches for the two supported release series. They are in git-am
format and consist of a single changeset.
- rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series
- rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series
Please note that only the 7.0.Z and 6.1.Z series are
supported at present, and 6.0.Z for severe vulnerabilities.Users of earlier unsupported releases are advised to upgrade as
soon as possible as we cannot guarantee the continued availability
of security fixes for unsupported releases.Credits
We would like to thank ryotak 15 for reporting this!
- rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB)
- rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB)
- rails-ujs-data-method-contenteditable-main.patch (8.9 KB)
🚨 XSS Vulnerability in Action View tag helpers
There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777.
Versions Affected: ALL
Not affected: NONE
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1Impact
If untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability.
Impacted code will look something like this:
check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })Where the "malicious_input" variable contains untrusted data.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
Escape the untrusted data before using it as a key for tag helper methods.
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activejob (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activemodel (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activerecord (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Security Advisories 🚨
🚨 Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter
There is a potential denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter.
This has been assigned the CVE identifier CVE-2022-44566.
Versions Affected: All. Not affected: None. Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact:
In ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
ReleasesThe fixed releases are available at the normal locations.
WorkaroundsEnsure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats.
PatchesTo aid users who aren’t able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy 1 regarding security issues. They are in git-am format and consist of a single changeset.
6-1-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 6.1 series 7-0-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 7.0 series
🚨 SQL Injection Vulnerability via ActiveRecord comments
There is a possible vulnerability in ActiveRecord related to the sanitization of comments. This vulnerability has been assigned the CVE identifier CVE-2023-22794.
Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.6.1, 6.1.7.1, 7.0.4.1
ImpactPreviously the implementation of escaping for comments was insufficient for
If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment.
In most cases these interfaces won’t be used with user input and users should avoid doing so.
Example vulnerable code:
Post.where(id: 1).annotate("#{params[:user_input]}")Post.where(id: 1).optimizer_hints("#{params[:user_input]}")
Example vulnerable QueryLogs configuration (the default configuration is not vulnerable):
config.active_record.query_log_tags = [ { something: -> { <some value including user input> } } ]All users running an affected release should either upgrade or use one of the workarounds immediately.
ReleasesThe FIXED releases are available at the normal locations.
WorkaroundsAvoid passing user input to annotate and avoid using QueryLogs configuration which can include user input.
PatchesTo aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-0-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 6.0 series 6-1-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 6.1 series 7-0-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 7.0 seriesPlease note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
🚨 Active Record RCE bug with Serialized Columns
When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.
There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activestorage (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Security Advisories 🚨
🚨 Rails has possible Sensitive Session Information Leak in Active Storage
Possible Sensitive Session Information Leak in Active Storage
There is a possible sensitive session information leak in Active Storage. By
default, Active Storage sends aSet-Cookieheader along with the user's
session cookie when serving blobs. It also setsCache-Controlto public.
Certain proxies may cache the Set-Cookie, leading to an information leak.This vulnerability has been assigned the CVE identifier CVE-2024-26144.
Versions Affected: >= 5.2.0, < 7.1.0
Not affected: < 5.2.0, > 7.1.0
Fixed Versions: 7.0.8.1, 6.1.7.7Impact
A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker's session or vice
versa.This was patched in 7.1.0 but not previously identified as a security
vulnerability.All users running an affected release should either upgrade or use one of the
workarounds immediately.Releases
The fixed releases are available at the normal locations.
Workarounds
Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.Credits
Thanks to tyage for reporting this!
🚨 Possible code injection vulnerability in Rails / Active Storage
The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activesupport (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Security Advisories 🚨
🚨 Active Support Possibly Discloses Locally Encrypted Files
There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.
Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5
Impact
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.
Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
To work around this issue, you can set your umask to be more restrictive like this:
$ umask 0077
🚨 Possible XSS Security Vulnerability in SafeBuffer#bytesplice
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3
Impact
ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.
Workarounds
Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.
🚨 ReDoS based DoS vulnerability in Active Support's underscore
There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
ImpactA specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.
All users running an affected release should either upgrade or use one of the workarounds immediately.
ReleasesThe FIXED releases are available at the normal locations.
WorkaroundsThere are no feasible workarounds for this issue.
Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
PatchesTo aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series 7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 seriesPlease note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ net-imap (indirect, 0.4.14 → 0.5.0) · Repo
Release Notes
0.5.0
More info than we can show here.
0.4.17
More info than we can show here.
0.4.16
More info than we can show here.
0.4.15
More info than we can show here.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ rack (indirect, 2.2.9 → 2.2.10) · Repo · Changelog
Release Notes
2.2.10 (from changelog)
More info than we can show here.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ railties (indirect, 6.1.7.8 → 7.0.8.1) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ zeitwerk (indirect, 2.6.18 → 2.7.1) · Repo · Changelog
Release Notes
2.7.1 (from changelog)
More info than we can show here.
2.7.0 (from changelog)
More info than we can show here.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
🗑️ sprockets (removed)
🗑️ sprockets-rails (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu cancel merge
- Cancels automatic merging of this PR
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)
![depfu[bot] avatar](https://avatars.githubusercontent.com/in/715?v=4 "Published by a pub.dev verified publisher"){kind=small}