Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚨 [security] Update railties 7.0.6 → 7.0.8 (patch) #551

Merged
merged 1 commit into from
Jan 3, 2024

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Sep 10, 2023


🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ railties (7.0.6 → 7.0.8) · Repo · Changelog

Release Notes

7.0.8 (from changelog)

  • Omit webdrivers gem dependency from Gemfile template

    Sean Doyle

7.0.7.2 (from changelog)

  • No changes.

7.0.7.1 (from changelog)

  • No changes.

7.0.7 (from changelog)

  • Update default scaffold templates to set 303 (See Other) as status code on redirect for the update action for XHR requests other than GET or POST to avoid issues (e.g browsers trying to follow the redirect using the original request method resulting in double PATCH/PUT)

    Guillermo Iguaran

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ activemodel (7.0.6 → 7.0.8) · Repo · Changelog

Release Notes

7.0.8 (from changelog)

  • No changes.

7.0.7.2 (from changelog)

  • No changes.

7.0.7.1 (from changelog)

  • No changes.

7.0.7 (from changelog)

  • Error.full_message now strips ":base" from the message.

    zzak

  • Add a load hook for ActiveModel::Model (named active_model) to match the load hook for ActiveRecord::Base and allow for overriding aspects of the ActiveModel::Model class.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ activerecord (7.0.6 → 7.0.8) · Repo · Changelog

Release Notes

7.0.8 (from changelog)

  • Fix change_column not setting precision: 6 on datetime columns when using 7.0+ Migrations and SQLite.

    Hartley McGuire

  • Fix unscope is not working in specific case

    Before:

    Post.where(id: 1...3).unscope(where: :id).to_sql # "SELECT `posts`.* FROM `posts` WHERE `posts`.`id` >= 1 AND `posts`.`id` < 3"

    After:

    Post.where(id: 1...3).unscope(where: :id).to_sql # "SELECT `posts`.* FROM `posts`"

    Fixes #48094.

    Kazuya Hatanaka

  • Fix associations to a STI model including a class_name parameter

    class Product < ApplicationRecord
    has_many :requests, as: :requestable, class_name: "ProductRequest", dependent: :destroy
    end

    # STI tables
    class Request < ApplicationRecord
    belongs_to :requestable, polymorphic: true

    validate :request_type, presence: true
    end

    class ProductRequest < Request
    belongs_to :user
    end

    Accessing such association would lead to:

    table_metadata.rb:22:in `has_column?': undefined method `key?' for nil:NilClass (NoMethodError)
    

    Romain Filinto

  • Fix change_table setting datetime precision for 6.1 Migrations

    Hartley McGuire

  • Fix change_column setting datetime precision for 6.1 Migrations

    Hartley McGuire

7.0.7.2 (from changelog)

  • No changes.

7.0.7.1 (from changelog)

  • No changes.

7.0.7 (from changelog)

  • Restores functionality to the missing method when using enums and fixes.

    paulreece

  • Fix StatementCache::Substitute with serialized type.

    ywenc

  • Fix :db_runtime on notification payload when application have multiple databases.

    Eileen M. Uchitelle

  • Correctly dump check constraints for MySQL 8.0.16+.

    Steve Hill

  • Fix ActiveRecord::QueryMethods#in_order_of to include nils, to match the behavior of Enumerable#in_order_of.

    For example, Post.in_order_of(:title, [nil, "foo"]) will now include posts with nil titles, the same as Post.all.to_a.in_order_of(:title, [nil, "foo"]).

    fatkodima

  • Revert "Fix autosave associations with validations added on :base of the associated objects."

    This change intended to remove the :base attribute from the message, but broke many assumptions which key these errors were stored.

    zzak

  • Fix #previously_new_record? to return true for destroyed records.

    Before, if a record was created and then destroyed, #previously_new_record? would return true. Now, any UPDATE or DELETE to a record is considered a change, and will result in #previously_new_record? returning false.

    Adrianna Chang

  • Revert breaking changes to has_one relationship deleting the old record before the new one is validated.

    zzak

  • Fix support for Active Record instances being uses in queries.

    As of 7.0.5, query arguments were deep duped to avoid mutations impacting the query cache, but this had the adverse effect to clearing the primary key when the query argument contained an ActiveRecord::Base instance.

    This broke the noticed gem.

    Jean Boussier

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ activesupport (7.0.6 → 7.0.8) · Repo · Changelog

Security Advisories 🚨

🚨 Possible File Disclosure of Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077
Release Notes

7.0.8 (from changelog)

  • Fix TimeWithZone still using deprecated #to_s when ENV or config to disable it are set.

    Hartley McGuire

  • Fix CacheStore#write_multi when using a distributed Redis cache with a connection pool.

    Fixes #48938.

    Jonathan del Strother

7.0.7.2 (from changelog)

  • No changes.

7.0.7.1 (from changelog)

  • Use a temporary file for storing unencrypted files while editing

    [CVE-2023-38037]

7.0.7 (from changelog)

  • Fix Cache::NullStore with local caching for repeated reads.

    fatkodima

  • Fix to_s with no arguments not respecting custom :default formats

    Hartley McGuire

  • Fix ActiveSupport::Inflector.humanize(nil) raising NoMethodError: undefined method `end_with?' for nil:NilClass.

    James Robinson

  • Fix Enumerable#sum for Enumerator#lazy.

    fatkodima, Matthew Draper, Jonathan Hefner

  • Improve error message when EventedFileUpdateChecker is used without a compatible version of the Listen gem

    Hartley McGuire

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 7.0.6 → 7.0.8) · Repo · Changelog

Release Notes

7.0.8 (from changelog)

  • Fix HostAuthorization potentially displaying the value of the X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.

    Hartley McGuire, Daniel Schlosser

7.0.7.2 (from changelog)

  • No changes.

7.0.7.1 (from changelog)

  • No changes.

7.0.7 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 7.0.6 → 7.0.8) · Repo · Changelog

Release Notes

7.0.8 (from changelog)

  • Fix form_for missing the hidden _method input for models with a namespaced route.

    Hartley McGuire

  • Fix render collection: @records, cache: true inside jbuilder templates

    The previous fix that shipped in 7.0.7 assumed template fragments are always strings, this isn't true with jbuilder.

    Jean Boussier

7.0.7.2 (from changelog)

  • No changes.

7.0.7.1 (from changelog)

  • No changes.

7.0.7 (from changelog)

  • Fix render collection: @records, cache: true to cache fragments as bare strings

    Previously it would incorrectly cache them as Action View buffers.

    Jean Boussier

  • Don't double-encode nested field_id and field_name index values

    Pass index: @options as a default keyword argument to field_id and field_name view helper methods.

    Sean Doyle

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.8.2 → 2.8.4) · Repo · Changelog

Release Notes

2.8.4

2.8.4 / 2023-07-18

  • cmake: set CMAKE compile flags to configure cross-compilation similarly to autotools --host flag: SYSTEM_NAME, SYSTEM_PROCESSOR, C_COMPILER, and CXX_COMPILER. [#130] (Thanks, @stanhu!)

2.8.3

2.8.3 / 2023-07-18

Fixed

  • cmake: only use MSYS/NMake generators when available. [#129] (Thanks, @stanhu!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ minitest (indirect, 5.18.1 → 5.20.0) · Repo · Changelog

Release Notes

5.20.0 (from changelog)

  • 1 minor enhancement:

    • Optionally allow autorun exit hook to remain active in forked child. (casperisfine)

5.19.0 (from changelog)

  • 2 minor enhancements:

    • Add metadata lazy accessor to Runnable / Result. (matteeyah)

    • Only load minitest/unit (aka ancient MiniTest compatibility layer) if ENV

  • 1 bug fix:

    • Minitest::TestTask enthusiastically added itself to default. (ParadoxV5)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ nokogiri (indirect, 1.15.2 → 1.15.4) · Repo · Changelog

Release Notes

1.15.4

1.15.4 / 2023-08-11

Dependencies

Fixed

  • Fixed a typo in a HTML5 parser error message. [#2927] (Thanks, @anishathalye!)
  • [CRuby] ObjectSpace.memsize_of is now safe to call on Documents with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]

sha256 checksums:

14091a07e07045a440213f7d5ced732fa7654ae8b6c7d180137f4124c5284ab8  nokogiri-1.15.4-aarch64-linux.gem
572ddc19934d010e98821a946d89462ae66b310fecc3fe12c48b0025c2f76855  nokogiri-1.15.4-arm-linux.gem
707288e293f4fc82a008f90b7ba0180d9f803f6a239a13e424378fedf8cf93e9  nokogiri-1.15.4-arm64-darwin.gem
04745925f63af61144eccef38a703928629cf97c34dbb1c42e3def17ac77ec92  nokogiri-1.15.4-java.gem
a0bfb65461a0453afed1a41b235fe84d5b9c7f4d70afd45f0dc2fdec8909faf1  nokogiri-1.15.4-x64-mingw-ucrt.gem
b9d01b9202e33cc23d19b2c1fc18ff4029cdda9b4f937a4baaefd4124a2158ba  nokogiri-1.15.4-x64-mingw32.gem
f6ae258d7ed5f81715118282aa45486e68fd44b9747d0244a236e9ed5b94c45d  nokogiri-1.15.4-x86-linux.gem
3f65b2426ece8da908bd5df5b6262ce525393f5245f8258a245bb4c3f5759b98  nokogiri-1.15.4-x86-mingw32.gem
d756605c540034debd7f486ae27802e6b1b129013fd6b1bb823783ef6f2bc5d7  nokogiri-1.15.4-x86_64-darwin.gem
872ced3d72d797ed9b5a76c67141c6cee7589711358e11c73e9c53724ffd1842  nokogiri-1.15.4-x86_64-linux.gem
e4a801e5ef643cc0036f0a7e93433d18818b31d48c9c287596b68e92c0173c4d  nokogiri-1.15.4.gem

1.15.3

1.15.3 / 2023-07-05

Fixed

  • Passing an object that is not a kind of XML::Node as the first parameter to CDATA.new now raises a TypeError. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). [#2920]
  • Passing an object that is not a kind of XML::Node as the first parameter to Schema.from_document now raises a TypeError. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). [#2920]
  • [CRuby] Passing an object that is not a kind of XML::Node as the second parameter to Text.new now raises a TypeError. Previously this would result in a segfault. [#2920]
  • [CRuby] Replacing a node's children via methods like Node#inner_html=, #children=, and #replace no longer defensively dups the node's next sibling if it is a Text node. This behavior was originally adopted to work around libxml2's memory management (see #283 and #595) but should not have included operations involving xmlAddChild(). [#2916]
  • [JRuby] Fixed NPE when serializing an unparented HTML node. [#2559, #2895] (Thanks, @cbasguti!)

sha256 checksums:

70dadf636ae026f475f07c16b12c685544d4f8a764777df629abf1f7af0f2fb5  nokogiri-1.15.3-aarch64-linux.gem
83871fa3f544dc601e27abbdef87315a77fe1270fe4904986bd3a7df9ca3d56f  nokogiri-1.15.3-arm-linux.gem
fa4a027478df9004a2ce91389af7b7b5a4fc790c23492dca43b210a0f8770596  nokogiri-1.15.3-arm64-darwin.gem
95d410f995364d9780c4147d8fca6974447a1ccd3a1e1b092f0408836a36cc9c  nokogiri-1.15.3-java.gem
599a46b6e4f5a34dd21da06bdbd69611728304af5ef42bb183e4b4ca073fd7a3  nokogiri-1.15.3-x64-mingw-ucrt.gem
92ebfb637c9b7ba92a221b49ea3328c7e5ee79a28307d75ef55bfe4b5807face  nokogiri-1.15.3-x64-mingw32.gem
ee314666eca832fa71b5bb4c090be46a80aded857aa26121b3b51f3ed658a646  nokogiri-1.15.3-x86-linux.gem
44b7f18817894a5b697bab3d757b12bb7857a0218c1b2e0000929456a2178b34  nokogiri-1.15.3-x86-mingw32.gem
1f0bc0343f9dd1db8dd42e4c9110dd24fc11a7f923b9fa0f866e7f90739e4e7a  nokogiri-1.15.3-x86_64-darwin.gem
ca244ed58568d7265088f83c568d2947102fb00bac14b5bc0e63f678dcd6323d  nokogiri-1.15.3-x86_64-linux.gem
876631295a85315dac37e7a71386d62d9eb452a891083cfe7505cca4805088cb  nokogiri-1.15.3.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ rack (indirect, 2.2.7 → 2.2.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ rails-dom-testing (indirect, 2.1.1 → 2.2.0) · Repo

Release Notes

2.2.0

What's Changed

New Contributors

Full Changelog: v2.1.1...v2.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

↗️ zeitwerk (indirect, 2.6.8 → 2.6.11) · Repo · Changelog

Release Notes

2.6.11 (from changelog)

  • Let on_load callbacks for implicit namespaces autoload other implicit namespaces.

2.6.10 (from changelog)

  • Improve validation of the values returned by the inflector's camelize.

2.6.9 (from changelog)

  • Given a path as a string or Pathname object, Zeitwerk::Loader#cpath_expected_at returns a string with the corresponding expected constant path.

    Some examples, assuming that app/models is a root directory:

    loader.cpath_expected_at("app/models")                  # => "Object"
    loader.cpath_expected_at("app/models/user.rb")          # => "User"
    loader.cpath_expected_at("app/models/hotel")            # => "Hotel"
    loader.cpath_expected_at("app/models/hotel/billing.rb") # => "Hotel::Billing"

    This method returns nil for some input like ignored files, and may raise errors too. Please check its documentation for further details.

  • Zeitwerk::Loader#load_file raises with a more informative error if given a hidden file or directory.

  • Zeitwerk::Loader#eager_load_dir does nothing if the argument is a hidden file or directory. This is coherent with its existing behavior for eager load exclusions and ignored paths. Before, that kind of argument would result in a non-deliberate NameError.

  • Documentation improvements.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 32 commits:


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@yoldas yoldas merged commit 9b9c04c into develop Jan 3, 2024
4 checks passed
@yoldas yoldas deleted the depfu/update/group/rails-7.0.8 branch January 3, 2024 00:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant