Rails 4 received new update

Ruby on Rails 4 received new 4.2.9 update that solves security issues.
27 June 2017   2266

Ruby

A dynamic, open source programming language, focused on simplicity and productivity
 

Ruby on Rails

Ruby on Rails (RoR) - a framework written in the Ruby programming language

New update for "old" RoR has been released recently. According to the developers' maintenance policy, since the release of Rails 5.1.0, the 4.2 series will only receive new releases in case of security issues. 

Changelists

  • Action Pack:
    • Use more specific check for :format in route path
      The current check for whether to add an optional format to the path is very lax and will match things like :format_id where there are nested resources, e.g:

      resources :formats do
        resources :items
      end

      Fix this by using a more restrictive regex pattern that looks for the patterns (.:format).:format or / at the end of the path. Note that we need to allow for multiple closing parenthesis since the route may be of this form:

      get "/books(/:action(.:format))", controller: "books"
      
  • Active Record:

    • Fixed regression caused by collection_singular_ids= ignoring different primary key on relationship.

    • Fix rake db:schema:load with subdirectories.

    • Fix rake db:migrate:status with subdirectories.

    • Fix regression of #1969 with SELECT aliases in HAVING clause.

    • Fix wait_timeout to configurable for mysql2 adapter.

    • Make table_name= reset current statement cache, so queries are not run against the previous table name.

  • Active Support:

    • Fixed bug in DateAndTime::Compatibility#to_time that caused it to raise RuntimeError: can't modify frozen Time when called on any frozen Time. Properly pass through the frozen Time or ActiveSupport::TimeWithZoneobject when calling #to_time.

    • Restore the return type of DateTime#utc
      In Rails 5.0 the return type of DateTime#utc was changed to Time to be consistent with the new DateTime#localtime method. When these changes were backported in #27553 this inadvertently changed the return type in a patcn release. Since DateTime#localtime was new in Rails 4.2.8 it's okay to restore the return type of DateTime#utc but keep DateTime#localtime as returning Time without breaking backwards compatibility.

    • In Core Extensions, make MarshalWithAutoloading#load pass through the second, optional argument for Marshal#load( source [, proc] ). This way we don't have to doMarshal.method(:load).super_method.call(sourse, proc) just to be able to pass a proc.

    • Cache ActiveSupport::TimeWithZone#to_datetime before freezing.

    • AS::Testing::TimeHelpers#travel_to now changes DateTime.now as well as Time.now and Date.today.

Check full list of changes. 

SHA-256

Feel free to use this checksum in order to verify your gem's version:

$ shasum -a 256 *-4.2.9.gem
bffbd5830a26af64d92548a831624a5422c77d97b2115c08b668fcbcc26f34ad  actionmailer-4.2.9.gem
8471fb1f9cc4962f3e000325821f1de0538a12cb580b0772ff9f89fbc8c1f9cd  actionpack-4.2.9.gem
d7fbbe069f74a6e7ce76cf91d0fede1593a0ed0db875f4630d8343551fb96f12  actionview-4.2.9.gem
a0086b19823d056efc1c8e7052d6684f54bebe7c9101ba69bd1a58c33d737451  activejob-4.2.9.gem
dbcd32a5e6294323b893565c0c334f6d89bb92d5085ce5e3d0454de0ed8eb5e3  activemodel-4.2.9.gem
0be77a1f77b2c8ae0e767c6fafb4c8fdda89c0be49ded0ae6f9644e81a4827a2  activerecord-4.2.9.gem
5717d2fe6409d4df72f0d20e46d7261503ccafc80ab228e91455d47185190ab4  activesupport-4.2.9.gem
eaaa4c1cafb3f9bd9f8dd58dd142522e398a5ad0d03abf2e3de364a63d4b7d1a  rails-4.2.9.gem
ad7b7765849a9aff0c42674f9512c39c098af63bb8476a4076a252fac3b4b2bc  railties-4.2.9.gem

 

Ruby and Rails to Get New Updates

Six vulnerabilities in the RubyGems package management system are now fixed and three in Rails framework
14 March 2019   614

There are corrective versions of the Ruby 2.6.2 and 2.5.4 programming language, which eliminate six vulnerabilities in the RubyGems package management system:

  • CVE-2019-8324: the ability to execute code when installing an untested package (an attacker can place the code on the gemspec and this code will be executed via a call to eval to ensure_loadable_spec at the verification stage before installation);
  • CVE-2019-8320: the ability to delete directories through manipulations with symbolic links when unpacking tar files;
  • CVE-2019-8321: the ability to substitute escape sequences through the handler Gem :: UserInteraction # verbose;
  • CVE-2019-8322: the ability to substitute escape sequences through the command "gem owner";
  • CVE-2019-8323: Ability to substitute escape sequences in the API handler (Gem :: GemcutterUtilities # with_response);
  • CVE-2019-8325: The ability to substitute escape sequences through error handlers (Gem :: CommandManager # run calls alert_error without escaping characters).

In addition, an update was provided to the Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2 framework. and 6.0.0.beta3 with the elimination of three vulnerabilities:

  • CVE-2019-5420 - potentially allows you to remotely execute your code on the server, when Rails is running in Development Mode. If there is information about the attacked application, you can predict the automatically generated mode token for developers, knowledge of which allows you to achieve the execution of your code;
  • CVE-2019-5418 is a vulnerability in the Action View that allows you to get the contents of arbitrary files from the server's file system by sending a specially crafted HTTP Accept header if the code in the "render file:" handler is present.
  • CVE-2019-5419 - DoS-vulnerability in Action View (MODULE / COMPONENT), allowing to achieve 100% load on the CPU through manipulations with the contents of the HTTP-header Accept;