Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Security] Bump rails from 4.2.10 to 4.2.11 #452

Merged
merged 1 commit into from
Feb 15, 2019
Merged

[Security] Bump rails from 4.2.10 to 4.2.11 #452

merged 1 commit into from
Feb 15, 2019

Conversation

greysteil
Copy link

Bumps rails from 4.2.10 to 4.2.11. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Broken Access Control vulnerability in Active Job
There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the workarounds immediately.

Patched versions: >= 4.2.11, < 5.0.0; >= 5.0.7.1, < 5.1.0; >= 5.1.6.1, < 5.2.0; >= 5.2.1.1
Unaffected versions: < 4.2.0

Commits
  • 474b739 Preparing for 4.2.11 release
  • 0cada53 Do not deserialize GlobalID objects that were not generated by Active Job
  • 22aec58 Tweak queue_classic and pg versions
  • 3e84bb3 Lock pg gem to < 0.21.0
  • 73b43c9 Fix tests on Mail 2.7.1
  • 3804d01 Update sidekiq
  • 06e2c91 Update lockfile to match Gemfile rake spec
  • 51b3394 Lock Sidekiq for < 5 for Ruby 2.2
  • 54a5e72 Leave rubygems at 2.6.13 because of YAML safe loading
  • 26a7dbe Lock rake to < 12.3.0 on Ruby 1.9.3
  • Additional commits viewable in compare view

Dependabot compatibility score

Another security update PR that Dependabot generated against my fork. I won't create any more of these because it looks like you haven't merged the Rack one from earlier this month and I don't want to spam you with PRs, but I'd love you to use Dependabot to automate these. Ping me if you do and have any questions / I can help at all. :octocat:

@dependabot-support
[Security] Bump rails from 4.2.10 to 4.2.11
80a031a 
Bumps [rails](https://github.com/rails/rails) from 4.2.10 to 4.2.11. **This update includes security fixes.**
- [Release notes](https://github.com/rails/rails/releases)
- [Commits](rails/rails@v4.2.10...v4.2.11)

Signed-off-by: dependabot[bot] <support@dependabot.com>
markets
markets approved these changes Nov 28, 2018
View reviewed changes
Copy link
Collaborator

@markets markets left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also supersedes #450 and #438 👍

@sseerrggii sseerrggii merged commit bf4a86b into coopdevs:develop Feb 15, 2019
@enricostano enricostano mentioned this pull request Feb 18, 2019
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@markets markets markets approved these changes

@sauloperez sauloperez sauloperez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@greysteil @markets @sauloperez @sseerrggii @dependabot-support