Update dependency rails to v6.1.7.7 [SECURITY] #2652
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.1.7.3->6.1.7.7GitHub Vulnerability Alerts
CVE-2024-26144
Possible Sensitive Session Information Leak in Active Storage
There is a possible sensitive session information leak in Active Storage. By
default, Active Storage sends a
Set-Cookieheader along with the user'ssession cookie when serving blobs. It also sets
Cache-Controlto public.Certain proxies may cache the Set-Cookie, leading to an information leak.
This vulnerability has been assigned the CVE identifier CVE-2024-26144.
Versions Affected: >= 5.2.0, < 7.1.0
Not affected: < 5.2.0, > 7.1.0
Fixed Versions: 7.0.8.1, 6.1.7.7
Impact
A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker's session or vice
versa.
This was patched in 7.1.0 but not previously identified as a security
vulnerability.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.
Credits
Thanks to tyage for reporting this!
Release Notes
rails/rails (rails)
v6.1.7.7: 6.1.7.7Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Disables the session in
ActiveStorage::Blobs::ProxyControllerand
ActiveStorage::Representations::ProxyControllerin order to allow caching by default in some CDNs as CloudFlare
Fixes #44136
Bruno Prieto
Action Mailbox
Action Text
Railties
v6.1.7.6Compare Source
No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release.
v6.1.7.5: 6.1.7.5 ReleaseCompare Source
Active Support
Use a temporary file for storing unencrypted files while editing
[CVE-2023-38037]
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.4Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]
Zack Deveau
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.