Project

General

Profile

Actions

Patch #37452

closed

Update Rails to 6.1.7

Added by Azamat Hackimov over 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Rails support
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Rails team released new versions of rails that fixes CVE-2022-32224 security issue (https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017). Updated version is not backward compatible, application should explicitly enable permitted classes for YAML serialization:

config.active_record.yaml_column_permitted_classes: [Symbol]

Files


Related issues

Related to Redmine - Defect #37719: Broken serialized columns, if saved time was with Rails 4.2ClosedGo MAEDA

Actions
Copied to Redmine - Patch #37465: Update Rails to 5.2.8.1ClosedGo MAEDA

Actions
Actions #1

Updated by Go MAEDA over 2 years ago

  • Tracker changed from Feature to Patch
  • Subject changed from Update Rails to recent versions to Update Rails to 6.1.6.1
  • Category changed from Gems support to Rails support
  • Target version set to 5.0.3
Actions #2

Updated by Go MAEDA over 2 years ago

Actions #3

Updated by Go MAEDA over 2 years ago

To use Rails 6.1.6.1 on Ruby 2.5, psych must be updated to version 3.1.0 or higher. See Rails 6.1.6.1 with Ruby 2.5 throws ArgumentError: unknown keywords: permitted_classes, aliases · Issue #45590 · rails/rails for details.

Index: Gemfile
===================================================================
--- Gemfile    (リビジョン 21718)
+++ Gemfile    (作業コピー)
@@ -3,7 +3,7 @@
 ruby '>= 2.5.0', '< 3.2.0'
 gem 'bundler', '>= 1.12.0'

-gem 'rails', '6.1.6'
+gem 'rails', '6.1.6.1'
 gem 'globalid', '~> 0.4.2' if Gem.ruby_version < Gem::Version.new('2.6.0')
 gem 'rouge', '~> 3.28.0'
 gem 'request_store', '~> 1.5.0'
@@ -22,6 +22,7 @@
 gem 'net-smtp', '~> 0.3.0'
 gem 'net-imap', '~> 0.2.2'
 gem 'net-pop', '~> 0.1.1'
+gem 'psych', '>= 3.1.0' if Gem.ruby_version < Gem::Version.new('2.6.0')

 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: [:mingw, :x64_mingw, :mswin]
Actions #5

Updated by Go MAEDA over 2 years ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA

Updated Rails for trunk and 5.0-stable.

Actions #6

Updated by Go MAEDA about 2 years ago

  • Subject changed from Update Rails to 6.1.6.1 to Update Rails to 6.1.7
Actions #7

Updated by Go MAEDA about 2 years ago

  • Related to Defect #37719: Broken serialized columns, if saved time was with Rails 4.2 added
Actions

Also available in: Atom PDF