Patch #37452
Update Rails to 6.1.6.1
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | Rails support | |||
Target version: | 5.0.3 |
Description
Rails team released new versions of rails that fixes CVE-2022-32224 security issue (https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017). Updated version is not backward compatible, application should explicitly enable permitted classes for YAML serialization:
config.active_record.yaml_column_permitted_classes: [Symbol]
Related issues
History
#2
Updated by Go MAEDA 22 days ago
- Copied to Patch #37465: Update Rails to 5.2.8.1 added
#3
Updated by Go MAEDA 22 days ago
To use Rails 6.1.6.1 on Ruby 2.5, psych must be updated to version 3.1.0 or higher. See Rails 6.1.6.1 with Ruby 2.5 throws ArgumentError: unknown keywords: permitted_classes, aliases · Issue #45590 · rails/rails for details.
Index: Gemfile
===================================================================
--- Gemfile (リビジョン 21718)
+++ Gemfile (作業コピー)
@@ -3,7 +3,7 @@
ruby '>= 2.5.0', '< 3.2.0'
gem 'bundler', '>= 1.12.0'
-gem 'rails', '6.1.6'
+gem 'rails', '6.1.6.1'
gem 'globalid', '~> 0.4.2' if Gem.ruby_version < Gem::Version.new('2.6.0')
gem 'rouge', '~> 3.28.0'
gem 'request_store', '~> 1.5.0'
@@ -22,6 +22,7 @@
gem 'net-smtp', '~> 0.3.0'
gem 'net-imap', '~> 0.2.2'
gem 'net-pop', '~> 0.1.1'
+gem 'psych', '>= 3.1.0' if Gem.ruby_version < Gem::Version.new('2.6.0')
# Windows does not include zoneinfo files, so bundle the tzinfo-data gem
gem 'tzinfo-data', platforms: [:mingw, :x64_mingw, :mswin]