Ruby on Rails 5.1.3 RC2 released

New released candidate for Rails 5.1.3 available now
27 July 2017   1949

Fine news for RoR coders. New 5.1.3 release candidate 2nd version has been released.

Changelogs

List of changes for every gem:

  • Railities
    • Regression fix: Allow bin/rails test to take absolute paths to tests. (same for 5.0.5RC2)

As always, you can view whole list of changes at GitHub. 

If no regressions will be found, final release expected on Monday, 24th of July, 2017. Developers ask everyone who will face any issues, to open a GitHub issue and mention @kaspth in order to developers fix it as soon as possible. 

SHA-256

Feel free to use this checksum in order to check version of your gem

$ shasum -a 256 *-5.1.3.rc2.gem
f2a510b5f274e7cdb9f18dbab316fe1fa703ba91af5e031fe807355633728b3b  actioncable-5.1.3.rc2.gem
303c71c3f8d792f07523fb7bb3afb366dd46293fdccfccaf8491f2db00dc93aa  actionmailer-5.1.3.rc2.gem
d86ac0ffd0dc12cde3ce332b8e4be53b16a8b7b3591c76c75657d114fa26a6fb  actionpack-5.1.3.rc2.gem
f6666a49474da4261c0bc00e9301e46075fe2c6453cf96033f5f3fa05397ceb5  actionview-5.1.3.rc2.gem
61d969886d73f1bf16a06c268dabdc890cc68c7c67c531743e81573e3f3acadd  activejob-5.1.3.rc2.gem
051f8d9fe6811bc8c3be0fc4630db8c740f5d57e3f3a605ca43e02a4790559f8  activemodel-5.1.3.rc2.gem
9e5671a03f0f6f7c3d1eea4c3320e2ae2c9e614add1d2c086e6ee3efcff56cda  activerecord-5.1.3.rc2.gem
7f953d0e72f934fc6c7b1a2dfd4f2e2c96910b3891c550a8fed682ee8c303722  activesupport-5.1.3.rc2.gem
d7ea7b6ee2ad1881f44bec83af5183dad6a52fed6ba7d25430bdab5f2394d067  rails-5.1.3.rc2.gem
2a95a264a470d65b6aa109ddbfcc451f6cd7c1235cbde9c458c19168773d432d  railties-5.1.3.rc2.gem

 

Ruby and Rails to Get New Updates

Six vulnerabilities in the RubyGems package management system are now fixed and three in Rails framework
14 March 2019   614

There are corrective versions of the Ruby 2.6.2 and 2.5.4 programming language, which eliminate six vulnerabilities in the RubyGems package management system:

  • CVE-2019-8324: the ability to execute code when installing an untested package (an attacker can place the code on the gemspec and this code will be executed via a call to eval to ensure_loadable_spec at the verification stage before installation);
  • CVE-2019-8320: the ability to delete directories through manipulations with symbolic links when unpacking tar files;
  • CVE-2019-8321: the ability to substitute escape sequences through the handler Gem :: UserInteraction # verbose;
  • CVE-2019-8322: the ability to substitute escape sequences through the command "gem owner";
  • CVE-2019-8323: Ability to substitute escape sequences in the API handler (Gem :: GemcutterUtilities # with_response);
  • CVE-2019-8325: The ability to substitute escape sequences through error handlers (Gem :: CommandManager # run calls alert_error without escaping characters).

In addition, an update was provided to the Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2 framework. and 6.0.0.beta3 with the elimination of three vulnerabilities:

  • CVE-2019-5420 - potentially allows you to remotely execute your code on the server, when Rails is running in Development Mode. If there is information about the attacked application, you can predict the automatically generated mode token for developers, knowledge of which allows you to achieve the execution of your code;
  • CVE-2019-5418 is a vulnerability in the Action View that allows you to get the contents of arbitrary files from the server's file system by sending a specially crafted HTTP Accept header if the code in the "render file:" handler is present.
  • CVE-2019-5419 - DoS-vulnerability in Action View (MODULE / COMPONENT), allowing to achieve 100% load on the CPU through manipulations with the contents of the HTTP-header Accept;