Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump activerecord from 4.2.10 to 6.1.4 #112

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot-preview[bot]
Copy link

Bumps activerecord from 4.2.10 to 6.1.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Possible DoS Vulnerability in Active Record PostgreSQL adapter There is a possible DoS vulnerability in the PostgreSQL adapter in Active Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.

Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5

Impact

Carefully crafted input can cause the input validation in the "money" type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Workarounds

In the case a patch can't be applied, the following monkey patch can be used in an initializer:

... (truncated)

Patched versions: ~> 5.2.4.5; ~> 6.0.3.5; >= 6.1.2.1 Unaffected versions: < 4.2.0

Sourced from The Ruby Advisory Database.

Possible DoS Vulnerability in Active Record PostgreSQL adapter There is a possible DoS vulnerability in the PostgreSQL adapter in Active Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.

Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5

Impact

Carefully crafted input can cause the input validation in the "money" type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Workarounds

In the case a patch can't be applied, the following monkey patch can be used in an initializer:

... (truncated)

Patched versions: ~> 5.2.4, >= 5.2.4.5; ~> 6.0.3.5; >= 6.1.2.1 Unaffected versions: < 4.2.0

Sourced from The Ruby Advisory Database.

Possible DoS Vulnerability in Active Record PostgreSQL adapter There is a possible DoS vulnerability in the PostgreSQL adapter in Active Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.

Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5

Impact

Carefully crafted input can cause the input validation in the "money" type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Workarounds

In the case a patch can't be applied, the following monkey patch can be used in an initializer:

... (truncated)

Patched versions: ~> 5.2.4, >= 5.2.4.5; ~> 6.0.3, >= 6.0.3.5; >= 6.1.2.1 Unaffected versions: < 4.2.0

Release notes

Sourced from activerecord's releases.

6.1.4

Active Support

  • MemCacheStore: convert any underlying value (including false) to an Entry.

    See #42559.

    Alex Ghiculescu

  • Fix bug in number_with_precision when using large BigDecimal values.

    Fixes #42302.

    Federico Aldunate, Zachary Scott

  • Check byte size instead of length on secure_compare.

    Tietew

  • Fix Time.at to not lose :in option.

    Ryuta Kamizono

  • Require a path for config.cache_store = :file_store.

    Alex Ghiculescu

  • Avoid having to store complex object in the default translation file.

    Rafael Mendonça França

Active Model

  • Fix to_json for ActiveModel::Dirty object.

    Exclude +mutations_from_database+ attribute from json as it lead to recursion.

    Anil Maurya

Active Record

  • Do not try to rollback transactions that failed due to a ActiveRecord::TransactionRollbackError.

    Jamie McCarthy

... (truncated)

Changelog

Sourced from activerecord's changelog.

Rails 6.1.4 (June 24, 2021)

  • Do not try to rollback transactions that failed due to a ActiveRecord::TransactionRollbackError.

    Jamie McCarthy

  • Raise an error if pool_config is nil in set_pool_config.

    Eileen M. Uchitelle

  • Fix compatibility with psych >= 4.

    Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility Active Record's schema cache loader and YAMLColumn now uses YAML.unsafe_load if available.

    Jean Boussier

  • Support using replicas when using rails dbconsole.

    Christopher Thornton

  • Restore connection pools after transactional tests.

    Eugene Kenny

  • Change upsert_all to fails cleanly for MySQL when :unique_by is used.

    Bastian Bartmann

  • Fix user-defined self.default_scope to respect table alias.

    Ryuta Kamizono

  • Clear @cache_keys cache after update_all, delete_all, destroy_all.

    Ryuta Kamizono

  • Changed Arel predications contains and overlaps to use quoted_node so that PostgreSQL arrays are quoted properly.

    Bradley Priest

  • Fix merge when the where clauses have string contents.

    Ryuta Kamizono

  • Fix rollback of parent destruction with nested dependent: :destroy.

    Jacopo Beschi

... (truncated)

Commits
  • 8321702 Preparing for 6.1.4 release
  • e71539c Update CHANGELOG
  • 8877b88 Merge pull request #42153 from kevinsjoberg/ignore-file-fixtures-on-load
  • 53be325 Merge pull request #42579 from eileencodes/fix-nil-pool_config-in-legacy-hand...
  • 13cc5f8 Merge pull request #42578 from eileencodes/fix-nil-pool-config-test
  • 36d4ee7 Merge pull request #42060 from Tonkpils/tonkpils/fix-enlist-fixture-connections
  • 871c82d Set the config in the right object
  • 8929f6f Merge pull request #42537 from eileencodes/fix-nil-pool-config
  • 57053ad Merge pull request #30922
  • 96a3611 Merge pull request #41528 from yahonda/pg_where_with_set
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Bumps [activerecord](https://github.com/rails/rails) from 4.2.10 to 6.1.4. **This update includes security fixes.**
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v6.1.4/activerecord/CHANGELOG.md)
- [Commits](rails/rails@v4.2.10...v6.1.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jun 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants