Ruby on Rails 5.0.5RC1 released

New release candidate of 5.0.x version of Ruby on Rails framework is out now
21 July 2017   2611
Ruby on Rails

Framework written in the Ruby programming language

Good news for RoR fans. New 5.0.5 release candidate 1 version has been released.

Changelogs

List of changes for every gem:

  • Action Pack
    • Fallback ActionController::Parameters#to_s to Hash#to_s.
  • Active Record
    • Relation#joins is no longer affected by the target model's current_scope, with the exception of unscoped.
  • Railities
    • Make Rails' test runner work better with minitest plugins.
      By demoting the Rails test runner to just another minitest plugin — and thereby not eager loading it — we can co-exist much better with other minitest plugins such as pride and minitest-focus.

As always, you can view whole list of changes at GitHub

If no regressions will be found, final release expected on Monday, 24th of July, 2017. Developers ask everyone who will face any issues, to open a GitHub issue and mention @kaspth in order to developers fix it as soon as possible. 

SHA-256

Feel free to use this checksum in order to check version of your gem:

$ shasum -a 256 *-5.0.5.rc1.gem
71ae996b0cbadc4836d8de61058870fe3d7ae275c5a3d345b851ca8b88e7c5a7  actioncable-5.0.5.rc1.gem
58fe87b9daf4dc1ddc89110e83846c0e0939fc97c8463e789785d28eddd34ee1  actionmailer-5.0.5.rc1.gem
123d468dcb3e523d1fb82367ebec2d630c6b625d1ad3d1b635bfc718c5d94624  actionpack-5.0.5.rc1.gem
117d39ee700e82903a3f0c3c242e986326acd08e7bab1059fd0afc6e58a2d19c  actionview-5.0.5.rc1.gem
99c51db0728e139a7833af9785323c967cbd474b3f9f1d20f5802628c33398f4  activejob-5.0.5.rc1.gem
9f81997461c252608451c61f5121754fb8aa36f30a1f9f6167a77826cae76be1  activemodel-5.0.5.rc1.gem
9cef200cd17925cd22055d6c5b2d2f22514f434f98983bcba0484e472f208211  activerecord-5.0.5.rc1.gem
ca8be3d1ee126f0e0b84cb9c932771cd718a524c60f2a63dccd32c33831aff74  activesupport-5.0.5.rc1.gem
0fd92b43895a1a73d639b93eec67159bed1003ce2a3f6250030b05091ae40046  rails-5.0.5.rc1.gem
3516bc7c5d3337fe5134ac0a7ec60337078817b569a56381a4f3fe737ef04546  railties-5.0.5.rc1.gem

 

Ruby and Rails to Get New Updates

Six vulnerabilities in the RubyGems package management system are now fixed and three in Rails framework
14 March 2019   360

There are corrective versions of the Ruby 2.6.2 and 2.5.4 programming language, which eliminate six vulnerabilities in the RubyGems package management system:

  • CVE-2019-8324: the ability to execute code when installing an untested package (an attacker can place the code on the gemspec and this code will be executed via a call to eval to ensure_loadable_spec at the verification stage before installation);
  • CVE-2019-8320: the ability to delete directories through manipulations with symbolic links when unpacking tar files;
  • CVE-2019-8321: the ability to substitute escape sequences through the handler Gem :: UserInteraction # verbose;
  • CVE-2019-8322: the ability to substitute escape sequences through the command "gem owner";
  • CVE-2019-8323: Ability to substitute escape sequences in the API handler (Gem :: GemcutterUtilities # with_response);
  • CVE-2019-8325: The ability to substitute escape sequences through error handlers (Gem :: CommandManager # run calls alert_error without escaping characters).

In addition, an update was provided to the Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2 framework. and 6.0.0.beta3 with the elimination of three vulnerabilities:

  • CVE-2019-5420 - potentially allows you to remotely execute your code on the server, when Rails is running in Development Mode. If there is information about the attacked application, you can predict the automatically generated mode token for developers, knowledge of which allows you to achieve the execution of your code;
  • CVE-2019-5418 is a vulnerability in the Action View that allows you to get the contents of arbitrary files from the server's file system by sending a specially crafted HTTP Accept header if the code in the "render file:" handler is present.
  • CVE-2019-5419 - DoS-vulnerability in Action View (MODULE / COMPONENT), allowing to achieve 100% load on the CPU through manipulations with the contents of the HTTP-header Accept;