Feature #33906
closed
Added by Mischa The Evil over 3 years ago.
Updated about 3 years ago.
Description
As released on May 18, 2020 with the following announcement:
Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.
Both releases contain the following fixes:
[CVE-2020-8162] Circumvention of file size limits in ActiveStorage
[CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
[CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
[CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
[CVE-2020-8167] CSRF Vulnerability in rails-ujs
Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.
I'll set this issue to private given the possible implications.
Files
Thank you for reporting the issue. I had missed the release.
Mischa The Evil wrote:
Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.
Do you know how to build a new public/javascripts/jquery-*-ui-*-ujs-*.js?
Go MAEDA wrote:
Mischa The Evil wrote:
Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.
Do you know how to build a new public/javascripts/jquery-*-ui-*-ujs-*.js?
I do not, though given the remaining1 history, I think Marius should be able to tell this.
- Target version set to 4.0.8
I manually maintain public/javascripts/jquery-*-ui-*-ujs-*.js? by replacing the old versions of the JS libraries with the new versions.
Regarding rails-ujs, the file is part of the actionview gem and the new version can be found in lib/assets/compiled/rails-ujs.js, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.
Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.
- Assignee set to Jean-Philippe Lang
JPL committed the patch for updating Rails to 5.2.4.4 five month ago (r20109). As it's no longer a thing, shall we close this issue and perhaps #34062, too?
Marius BALTEANU wrote:
I manually maintain public/javascripts/jquery-*-ui-*-ujs-*.js? by replacing the old versions of the JS libraries with the new versions.
Regarding rails-ujs, the file is part of the actionview gem and the new version can be found in lib/assets/compiled/rails-ujs.js, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.
Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.
Okay, didn't read that beforehand. Sorry. Reading before writing is always a good habit. *facepalm*
- Subject changed from Update to Rails 5.2.4.3 to Update to Rails 5.2.4.5
- Status changed from New to Resolved
- Resolution set to Fixed
Committed the patches. Thank you.
- Status changed from Resolved to Closed
- Private changed from Yes to No
- Tracker changed from Defect to Feature
- Subject changed from Update to Rails 5.2.4.5 to Upgrade Rails to 5.2.4.5
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by