Skip to content

2.7.7 / 2021-02-01
Compare
Choose a tag to compare
@flavorjones flavorjones released this 01 Feb 20:57
v2.7.7
3044b4e
This commit was signed with the committer’s verified signature.
flavorjones Mike Dalessio
GPG key ID: 59D3039C71577DD7
Learn about vigilant mode.

2.7.7 / 2021-02-01

  • Security fixes for CVE-2021-21289

    Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes'
    methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if
    untrusted input is used as a local filename and passed to any of these calls:

    • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
    • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
    • Mechanize#download: since v2.2 (see dc91667)
    • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
    • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
    • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

    See GHSA-qrqm-fpv6-6r8g for more
    information.

    Also see #547, #548. Thank you, @kyoshidajp!

  • New Features

    • Support for Ruby 3.0 by adding webrick as a runtime dependency. (#557) @pvalena

  • Bug fix

    • Ignore input fields with blank names (#542, #536)
Assets 2
Loading