Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚨 [security] Upgrade devise: 4.5.0 → 4.7.1 (minor) #147

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

🚨 [security] Upgrade devise: 4.5.0 → 4.7.1 (minor) #147

wants to merge 1 commit into from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Sep 10, 2019

🚨 Your version of devise has known security vulnerabilities 🚨

Advisory: CVE-2019-16109
Disclosed: September 08, 2019
URL: https://github.com/plataformatec/devise/issues/5071

Devise Gem for Ruby confirmation token validation with a blank string

Devise before 4.7.1 confirms accounts upon receiving a request with a blank
confirmation_token, if a database record has a blank value in the confirmation_token column.
However, there is no scenario within Devise itself in which such database records would exist.


🚨 We recommend to merge and deploy this update as soon as possible! 🚨

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ devise (4.5.0 → 4.7.1) · Repo · Changelog

Release Notes

4.7.1 (from changelog)

  • bug fixes
    • Fix an edge case where records with a blank confirmation_token could be confirmed (by @tegon)
    • Fix typo inside update_needs_confirmation i18n key (by @lslm)

4.7.0 (from changelog)

  • enhancements

    • Support Rails 6.0
    • Update CI to rails 6.0.0.beta3 (by @tunnes)
    • refactor method name to be more consistent (by @saiqulhaq)
    • Fix rails 6.0.rc1 email uniqueness validation deprecation warning (by @Vasfed)

  • bug fixes

    • Add autocomplete="new-password" to password_confirmation fields (by @ferrl)
    • Fix rails_51_and_up? method for Rails 6.rc1 (by @igorkasyanchuk)

4.6.2 (from changelog)

  • bug fixes
    • Revert "Set encrypted_password to nil when password is set to nil" since it broke backward compatibility with existing applications. See more on #5033 (comment) (by @mracos)

4.6.1 (from changelog)

  • bug fixes
    • Check if root_path is defined with #respond_to? instead of #present (by @tegon)

4.6.0 (from changelog)

  • enhancements

    • Allow to skip email and password change notifications (by @iorme1)
    • Include the use of nil for allow_unconfirmed_access_for in the docs (by @joaumg)
    • Ignore useless files into the .gem file (by @huacnlee)
    • Explain the code that prevents enumeration attacks inside Devise::Strategies::DatabaseAuthenticatable (by @tegon)
    • Refactor the devise_error_messages! helper to render a partial (by @prograhamer)
    • Add an option (Devise.sign_in_after_change_password) to not automatically sign in a user after changing a password (by @knjko)

  • bug fixes

    • Fix missing comma in Simple Form generator (by @colinross)
    • Fix error with migration generator in Rails 6 (by @oystersauce8)
    • Set encrypted_password to nil when password is set to nil (by @sivagollapalli)
    • Consider whether the request supports flash messages inside Devise::Controllers::Helpers#is_flashing_format? (by @colinross)
    • Fix typo inside Devise::Generators::ControllersGenerator (by @kopylovvlad)
    • Sanitize parameters inside Devise::Models::Authenticatable#find_or_initialize_with_errors (by @rlue)
    • #after_database_authentication callback was not called after authentication on password reset (by @kanmaniselvan)
    • Fix corner case when #confirmation_period_valid? was called at the same second as confirmation_sent_at was set. Mostly true for date types that only have second precisions. (by @stanhu)
    • Fix unclosed li tag in error_messages partial (by @mracos)
    • Fix Routes issue when devise engine is mounted in another engine on Rails versions lower than 5.1 (by @a-barbieri)
    • Make #increment_failed_attempts concurrency safe (by @tegon)
    • Apply Test Helper fix to Rails 6.0 as well as 5.x (by @matthewrudy)

  • deprecations

    • The second argument of DatabaseAuthenticatable's #update_with_password and #update_without_password is deprecated and will be removed in the next major version. It was added to support a feature deprecated in Rails 4, so you can safely remove it from your code. (by @ihatov08)
    • The DeviseHelper.devise_error_messages! is deprecated and will be removed in the next major version. Use the devise/shared/error_messages partial instead. (by @mracos)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ bcrypt (indirect, 3.1.12 → 3.1.13) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 36 commits:

↗️ nokogiri (indirect, 1.10.1 → 1.10.4) · Repo · Changelog

Release Notes

1.10.4

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is #1915

1.10.3

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2

1.10.2 / 2019-03-24

Security

  • [MRI] Remove support from vendored libxml2 for future script macros. [#1871]
  • [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877]

Bug fixes

  • [JRuby] Fix node ownership in duplicated documents. [#1060]
  • [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @adjam!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.0.4 → 1.2.0) · Repo · Changelog

Release Notes

1.2.0

  • Remove needless white_list_sanitizer deprecation.

    By deprecating this, we were forcing Rails 5.2 to be updated or spew
    deprecations that users could do nothing about.

    That's pointless and I'm sorry for adding that!

    Now there's no deprecation warning and Rails 5.2 works out of the box, while
    Rails 6 can use the updated naming.

    Kasper Timm Hansen

1.1.0

  • Add safe_list_sanitizer and deprecate white_list_sanitizer to be removed
    in 1.2.0. #87

    Juanito Fatas

  • Remove href from LinkScrubber's tags as it's not an element.
    #92

    Juanito Fatas

  • Explain that we don't need to bump Loofah here if there's CVEs.
    d4d823c

    Kasper Timm Hansen

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ rake (indirect, 12.3.2 → 12.3.3) · Repo · Changelog

Release Notes

12.3.3 (from changelog)

Bug fixes

  • Use the application's name in error message if a task is not found. Pull Request #303 by tmatilai

Enhancements:

  • Use File.open explicitly.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ responders (indirect, 2.4.0 → 2.4.1) · Repo · Changelog

Release Notes

2.4.1 (from changelog)

  • Add support for Rails 6 beta

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Sep 10, 2019
@depfu depfu bot mentioned this pull request Sep 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
depfu
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants