Update dependency rails to '~> 7.0.8.0' [SECURITY] - autoclosed #110
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
'~> 7.0.7.1'
->'~> 7.0.8.0'
GitHub Vulnerability Alerts
CVE-2024-26144
Possible Sensitive Session Information Leak in Active Storage
There is a possible sensitive session information leak in Active Storage. By
default, Active Storage sends a
Set-Cookie
header along with the user'ssession cookie when serving blobs. It also sets
Cache-Control
to public.Certain proxies may cache the Set-Cookie, leading to an information leak.
This vulnerability has been assigned the CVE identifier CVE-2024-26144.
Versions Affected: >= 5.2.0, < 7.1.0
Not affected: < 5.2.0, > 7.1.0
Fixed Versions: 7.0.8.1, 6.1.7.7
Impact
A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker's session or vice
versa.
This was patched in 7.1.0 but not previously identified as a security
vulnerability.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.
Credits
Thanks to tyage for reporting this!
CVE-2024-26143
Possible XSS Vulnerability in Action Controller
There is a possible XSS vulnerability when using the translation helpers
(
translate
,t
, etc) in Action Controller. This vulnerability has beenassigned the CVE identifier CVE-2024-26143.
Versions Affected: >= 7.0.0.
Not affected: < 7.0.0
Fixed Versions: 7.1.3.1, 7.0.8.1
Impact
Applications using translation methods like
translate
, ort
on acontroller, with a key ending in "_html", a
:default
key which containsuntrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.
For example, impacted code will look something like this:
To reiterate the pre-conditions, applications must:
t
froma view)
_html
render
call)All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
Credits
Thanks to ooooooo_q for the patch and fix!
Release Notes
rails/rails (rails)
v7.0.8.1
: 7.0.8.1Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Fix possible XSS vulnerability with the
translate
method in controllersCVE-2024-26143
Active Job
Action Mailer
Action Cable
Active Storage
Disables the session in
ActiveStorage::Blobs::ProxyController
and
ActiveStorage::Representations::ProxyController
in order to allow caching by default in some CDNs as CloudFlare
Fixes #44136
Bruno Prieto
Action Mailbox
Action Text
Railties
v7.0.8
: 7.0.8Compare Source
Active Support
Fix
TimeWithZone
still using deprecated#to_s
whenENV
orconfig
todisable it are set.
Hartley McGuire
Fix CacheStore#write_multi when using a distributed Redis cache with a connection pool.
Fixes #48938.
Jonathan del Strother
Active Model
Active Record
Fix
change_column
not settingprecision: 6
ondatetime
columns whenusing 7.0+ Migrations and SQLite.
Hartley McGuire
Fix unscope is not working in specific case
Before:
After:
Fixes #48094.
Kazuya Hatanaka
Fix associations to a STI model including a
class_name
parameterSTI tables
Fix
change_table
setting datetime precision for 6.1 MigrationsHartley McGuire
Fix change_column setting datetime precision for 6.1 Migrations
Hartley McGuire
Action View
Fix
form_for
missing the hidden_method
input for models with anamespaced route.
Hartley McGuire
Fix
render collection: @​records, cache: true
insidejbuilder
templatesThe previous fix that shipped in
7.0.7
assumed template fragments are always strings,this isn't true with
jbuilder
.Jean Boussier
Action Pack
Fix
HostAuthorization
potentially displaying the value of theX_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
Hartley McGuire, Daniel Schlosser
Active Job
Fix Active Job log message to correctly report a job failed to enqueue
when the adapter raises an
ActiveJob::EnqueueError
.Ben Sheldon
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
Omit
webdrivers
gem dependency fromGemfile
templateSean Doyle
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.