Update dependency activesupport to "~> 5.2.8.0" [SECURITY] #75
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
73dbac9 to
77d6c57
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
77d6c57 to
276d654
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
276d654 to
15fbb01
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
15fbb01 to
8d9e4f8
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
8d9e4f8 to
fdfc83b
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
fdfc83b to
902975f
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
902975f to
83347e8
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
83347e8 to
5e1f849
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
5e1f849 to
a5c40e0
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
a5c40e0 to
911ad95
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
911ad95 to
9f58976
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
9f58976 to
40ed8be
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
40ed8be to
d0563e6
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
d0563e6 to
e25b3e4
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
e25b3e4 to
ded7dd8
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
2852347 to
6a85f73
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
6a85f73 to
071e3dc
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
071e3dc to
4097968
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
4097968 to
d5ae42b
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
d5ae42b to
c107b0d
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
c107b0d to
52101e0
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
52101e0 to
5dfc8ac
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
5dfc8ac to
77fb2c8
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
77fb2c8 to
af3dafd
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
af3dafd to
e2b76c9
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
e2b76c9 to
d4dac41
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
d4dac41 to
7e4b606
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
7e4b606 to
b31efe6
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-activesupport-vulnerability
branch
from
b31efe6 to
f86ce3d
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
"~> 5.2.4.3"->"~> 5.2.8.0"GitHub Vulnerability Alerts
CVE-2023-28120
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3
Impact
ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.
Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.
All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.
Workarounds
Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.
CVE-2023-22796
There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact
A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
CVE-2023-38037
There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.
Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5
Impact
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.
Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
To work around this issue, you can set your umask to be more restrictive like this:
Release Notes
rails/rails (activesupport)
v5.2.8.1: 5.2.8.1Compare Source
Active Support
Active Model
Active Record
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
config.active_storage.use_yaml_unsafe_loadWhen set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.
config.active_record.yaml_column_permitted_classesThe "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:
[CVE-2022-32224]
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v5.2.8: 5.2.8Compare Source
Active Support
Fix tag helper regression.
Eileen Uchitelle
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v5.2.7.1: 5.2.7.1Compare Source
Active Support
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Add the method
ERB::Util.xml_name_escapeto escape dangerous charactersin names of tags and names of attributes, following the specification of XML.
Álvaro Martín Fraguas
Active Model
Active Record
Action View
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributesto:escape, to simplify by applying the option to thewhole tag.
Álvaro Martín Fraguas
Action Pack
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v5.2.7: 5.2.7Compare Source
Active Support
Restore support to Ruby 2.2.
ojab
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Fix
ActiveStorage.supported_image_processing_methodsandActiveStorage.unsupported_image_processing_argumentsthat were not being applied.Rafael Mendonça França
Railties
v5.2.6.3: 5.2.6.3Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
Railties
v5.2.6.2: 5.2.6.2Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v5.2.6.1: 5.2.6.1Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request
[CVE-2022-23633]
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v5.2.6: 5.2.6Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Accept base64_urlsafe CSRF tokens to make forward compatible.
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
them difficult to deal with. For example, the common practice of sending
the CSRF token to a browser in a client-readable cookie does not work properly
out of the box: the value has to be url-encoded and decoded to survive transport.
In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
tokens for backwards compatibility.
How the tokes are encoded is controllr by the
action_controller.urlsafe_csrf_tokensconfig.
In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
Atention: If you already upgraded your application to 5.2.5, set the config
urlsafe_csrf_tokenstotrue, otherwise your form submission will start to failduring the deploy of this new version.
If you are upgrading from 5.2.4.x, you don't need to change this configuration.
Scott Blum, Étienne Barrié
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v5.2.5: 5.2.5Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.
George Claghorn
Railties
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.