Ruby and Rails to Get New Updates

Six vulnerabilities in the RubyGems package management system are now fixed and three in Rails framework
14 March 2019   183

There are corrective versions of the Ruby 2.6.2 and 2.5.4 programming language, which eliminate six vulnerabilities in the RubyGems package management system:

  • CVE-2019-8324: the ability to execute code when installing an untested package (an attacker can place the code on the gemspec and this code will be executed via a call to eval to ensure_loadable_spec at the verification stage before installation);
  • CVE-2019-8320: the ability to delete directories through manipulations with symbolic links when unpacking tar files;
  • CVE-2019-8321: the ability to substitute escape sequences through the handler Gem :: UserInteraction # verbose;
  • CVE-2019-8322: the ability to substitute escape sequences through the command "gem owner";
  • CVE-2019-8323: Ability to substitute escape sequences in the API handler (Gem :: GemcutterUtilities # with_response);
  • CVE-2019-8325: The ability to substitute escape sequences through error handlers (Gem :: CommandManager # run calls alert_error without escaping characters).

In addition, an update was provided to the Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2 framework. and 6.0.0.beta3 with the elimination of three vulnerabilities:

  • CVE-2019-5420 - potentially allows you to remotely execute your code on the server, when Rails is running in Development Mode. If there is information about the attacked application, you can predict the automatically generated mode token for developers, knowledge of which allows you to achieve the execution of your code;
  • CVE-2019-5418 is a vulnerability in the Action View that allows you to get the contents of arbitrary files from the server's file system by sending a specially crafted HTTP Accept header if the code in the "render file:" handler is present.
  • CVE-2019-5419 - DoS-vulnerability in Action View (MODULE / COMPONENT), allowing to achieve 100% load on the CPU through manipulations with the contents of the HTTP-header Accept;

Git 2.20 to be Available

Let's check updates and features of new version control system
11 December 2018   637

Distributed version control system Git has received another update. In order for Git 2.20 to appear, 83 developers made changes 962 to the zcode. According to the team, this is an order of magnitude higher than the same figure in the largest release of the 2.x.x branch.

The git branch -l command is now a shortened version of the git branch --list - it used to help run reflog during the creation of a new branch. Developers have limited the launch of git fetch: it is only possible with an indication of --force, to avoid problems with consistency when updating the link.

The git help -a and git help -av commands to help newbies display a more verbose output. To return to the old view, just type git help - no-verbose -a. In git send-email, it is possible to extract lines with addresses that end with “-by” from signatures. This is an incompatible change, and it can be disabled by adding to the --suppress-cc = misc-by command.

  • If the repository contains files whose addresses differ only in the case of letters, a warning will be displayed during the execution of git clone.
  • The git format-patch command received the --interdiff and --range-diff options, which in a note or comment list the differences between the existing and previous versions.
  • git mailinfo learned how to recover code patches sent by email with plain text and damaged due to hyphenation.
  • git multi-pack-index now fixes damage in .midx files.
  • Creating experimental commit-graph files for large repositories takes a lot of time, so the developers have provided a form of output about the state of the process.

Performance and Development Support

  • For working builds, the -Wunused-function compilation option is provided.
  • git submodule update is completely rewritten in C.
  • One of the continuous integration (CI) tests, designed to work with the unusual/experimental/random settings, now supports midx and commit-graph files.
  • A new mechanism for finding objects among a large number of pack-files. It relies on combining all .idx files into one.

The previous version of the system was released in September 2018.