Rails 5.1.2.rc1 has been released

New update of Rails released
21 June 2017   1930

Great news for RoR community. New, 5.1.2rc1 version has been recently released.

Ruby

A dynamic, open source programming language, focused on simplicity and productivity
 

Ruby on Rails

Ruby on Rails (RoR) - a framework written in the Ruby programming language

Final release is expected at Monday, 26th of June, if now big issues appear. As always, developers ask you to test this release good and create issue on GiHub if any bugs will be found. 

Changelogs

List of changes for every gem:

  • Action Pack:
    • driven_by now registers poltergeist and capybara-webkit
      If driver poltergeist or capybara-webkit is set for System Tests, driven_by will register the driver and set additional options passed via :options param.
      Refer to drivers documentation to learn what options can be passed.
      by Mario Chavez

    • AEAD encrypted cookies and sessions with GCM

  • Action View:
    • Fix issues with scopes and engine on current_page? method.

      Fixes #29401.
      by Nikita Savrov

    • Generate field ids in collection_check_boxes and collection_radio_buttons.
      This makes sure that the labels are linked up with the fields.

      Fixes #29014.
      by Yuji Yaginuma

  • Active Model:
    • Fix regression in numericality validator when comparing Decimal and Float input values with more scale than the schema.
      by Bradley Priest

  • Active Record:

    • Restore previous behavior of collection proxies: their values can have methods stubbed, and they respect extension modules applied by a default scope.
      by Ryuta Kamizono

    • Loading model schema from database is now thread-safe.

      Fixes #28589.
      by Vikrant Chaudhary, David Abdemoulaie

  • Active Support:

    • Cache: Restore the options = nil argument for LocalStore#clear that was removed in 5.1.0. Restores compatibility with backends that take an options argument and use the local cache strategy.
      by Jeremy Daer

    • Fix implicit coercion calculations with scalars and durations
      Previously calculations where the scalar is first would be converted to a duration of seconds but this causes issues with dates being converted to times, e.g:

      Time.zone = "Beijing"           # => Asia/Shanghai
      date = Date.civil(2017, 5, 20)  # => Mon, 20 May 2017
      2 * 1.day                       # => 172800 seconds
      date + 2 * 1.day                # => Mon, 22 May 2017 00:00:00 CST +08:00
      

      Now the ActiveSupport::Duration::Scalar calculation methods will try to maintain the part structure of the duration where possible, e.g:

      Time.zone = "Beijing"           # => Asia/Shanghai
      date = Date.civil(2017, 5, 20)  # => Mon, 20 May 2017
      2 * 1.day                       # => 2 days
      date + 2 * 1.day                # => Mon, 22 May 2017
      

      Fixes #29160, #28970.
      by Andrew White

  • Railties:

    • Add Windows support to rails secrets:edit
      by Kasper Timm Hansen

Full changelist can be found at GitHub.

Interesting update! New features and fixes of Action View and Active Record will become handy. Will try to update my Rails as soon as possible.
 

Dima Koprov
Team Lead at Evrone

SHA-256

You can use this checksum in order to verify your gem's version:

$ shasum -a 256 *-5.1.2.rc1.gem
ae90de7d8f5d1129a162e9419b65e08870a433ed4eb067bcd44be161de394773  actioncable-5.1.2.rc1.gem
bd7b3ac7dacb1a983bf2b5dcc56255261421285ef9b5cc5d645d416a1ba42378  actionmailer-5.1.2.rc1.gem
21b097d2ea1009eaad2487b4461f20a2c76d2ea9786e2fb37dd1e87116ca3621  actionpack-5.1.2.rc1.gem
689d6580dbef9c81e43fc77185a7916ef7ca2a3d863300f6e47d8199e4bdbd1c  actionview-5.1.2.rc1.gem
dfa1afc5d701241e25282c318738a8c379fdbd9cf682725f87e1c16584bf3be6  activejob-5.1.2.rc1.gem
040c3aaa4bf7686efa0e716dc4cf077d4d5b1ef598c81f7d32e86f1f8f26817a  activemodel-5.1.2.rc1.gem
8bc8b1677051975083717c65a3ee3df612b5e9d381db9d90dc71f3484f514a0b  activerecord-5.1.2.rc1.gem
69aab1c234f1223ceedb62168df071bdb3483a00be5e186278983eb1ed636e69  activesupport-5.1.2.rc1.gem
50a14c6e4952297f0a9a510b268ea845833474dccbe1619594c0406ceab5c7fa  rails-5.1.2.rc1.gem
7c18b3a185f73740b020ecf9414ea8d5c254edddefce64e7383bd137c7626d45  railties-5.1.2.rc1.gem

 

Ruby and Rails to Get New Updates

Six vulnerabilities in the RubyGems package management system are now fixed and three in Rails framework
14 March 2019   360

There are corrective versions of the Ruby 2.6.2 and 2.5.4 programming language, which eliminate six vulnerabilities in the RubyGems package management system:

  • CVE-2019-8324: the ability to execute code when installing an untested package (an attacker can place the code on the gemspec and this code will be executed via a call to eval to ensure_loadable_spec at the verification stage before installation);
  • CVE-2019-8320: the ability to delete directories through manipulations with symbolic links when unpacking tar files;
  • CVE-2019-8321: the ability to substitute escape sequences through the handler Gem :: UserInteraction # verbose;
  • CVE-2019-8322: the ability to substitute escape sequences through the command "gem owner";
  • CVE-2019-8323: Ability to substitute escape sequences in the API handler (Gem :: GemcutterUtilities # with_response);
  • CVE-2019-8325: The ability to substitute escape sequences through error handlers (Gem :: CommandManager # run calls alert_error without escaping characters).

In addition, an update was provided to the Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2 framework. and 6.0.0.beta3 with the elimination of three vulnerabilities:

  • CVE-2019-5420 - potentially allows you to remotely execute your code on the server, when Rails is running in Development Mode. If there is information about the attacked application, you can predict the automatically generated mode token for developers, knowledge of which allows you to achieve the execution of your code;
  • CVE-2019-5418 is a vulnerability in the Action View that allows you to get the contents of arbitrary files from the server's file system by sending a specially crafted HTTP Accept header if the code in the "render file:" handler is present.
  • CVE-2019-5419 - DoS-vulnerability in Action View (MODULE / COMPONENT), allowing to achieve 100% load on the CPU through manipulations with the contents of the HTTP-header Accept;