Patch #37452

Update Rails to 6.1.6.1

Added by Azamat Hackimov about 1 month ago. Updated 28 days ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Rails support
Target version:5.0.3

Description

Rails team released new versions of rails that fixes CVE-2022-32224 security issue (https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017). Updated version is not backward compatible, application should explicitly enable permitted classes for YAML serialization:

config.active_record.yaml_column_permitted_classes: [Symbol]

redmine-4.2.7-rails-yaml-safe_load.patch Magnifier (1002 Bytes) Azamat Hackimov, 2022-07-17 12:27


Related issues

Copied to Redmine - Patch #37465: Update Rails to 5.2.8.1 Closed

Associated revisions

Revision 21718
Added by Go MAEDA 28 days ago

Update Rails to 6.1.6.1 (#37452).

Revision 21720
Added by Go MAEDA 28 days ago

Merged r21718 from trunk to 5.0-stable (#37452).

History

#1 Updated by Go MAEDA 28 days ago

  • Tracker changed from Feature to Patch
  • Subject changed from Update Rails to recent versions to Update Rails to 6.1.6.1
  • Category changed from Gems support to Rails support
  • Target version set to 5.0.3

#2 Updated by Go MAEDA 28 days ago

#3 Updated by Go MAEDA 28 days ago

To use Rails 6.1.6.1 on Ruby 2.5, psych must be updated to version 3.1.0 or higher. See Rails 6.1.6.1 with Ruby 2.5 throws ArgumentError: unknown keywords: permitted_classes, aliases · Issue #45590 · rails/rails for details.

Index: Gemfile
===================================================================
--- Gemfile    (リビジョン 21718)
+++ Gemfile    (作業コピー)
@@ -3,7 +3,7 @@
 ruby '>= 2.5.0', '< 3.2.0'
 gem 'bundler', '>= 1.12.0'

-gem 'rails', '6.1.6'
+gem 'rails', '6.1.6.1'
 gem 'globalid', '~> 0.4.2' if Gem.ruby_version < Gem::Version.new('2.6.0')
 gem 'rouge', '~> 3.28.0'
 gem 'request_store', '~> 1.5.0'
@@ -22,6 +22,7 @@
 gem 'net-smtp', '~> 0.3.0'
 gem 'net-imap', '~> 0.2.2'
 gem 'net-pop', '~> 0.1.1'
+gem 'psych', '>= 3.1.0' if Gem.ruby_version < Gem::Version.new('2.6.0')

 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: [:mingw, :x64_mingw, :mswin]

#5 Updated by Go MAEDA 28 days ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA

Updated Rails for trunk and 5.0-stable.

Also available in: Atom PDF