Project

General

Profile

Actions

Feature #33906

closed

Upgrade Rails to 5.2.4.5

Added by Mischa The Evil over 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

As released on May 18, 2020 with the following announcement:

Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

[CVE-2020-8162] Circumvention of file size limits in ActiveStorage
[CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
[CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
[CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
[CVE-2020-8167] CSRF Vulnerability in rails-ujs

Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.

I'll set this issue to private given the possible implications.


Files


Related issues

Has duplicate Redmine - Feature #34062: Upgrade Rails to 5.2.4.5ClosedGo MAEDA

Actions
Actions

Also available in: Atom PDF