Ruby on Rails 5.1.3RC1 released

Finally, new version of Ruby on Rails framework has been released
21 July 2017   1955
Ruby on Rails

Framework written in the Ruby programming language

Great news for RoR coders. New 5.1.3 release candidate 1 version has been released.

Changelogs

List of changes for every gem:

  • Active Record:
    • Relation#joins is no longer affected by the target model's current_scope, with the exception of unscoped.
    • Previously, when building records using a has_many :through association, if the child records were deleted before the parent was saved, they would still be persisted. Now, if child records are deleted before the parent is saved on a has_many :through association, the child records will not be persisted.
  • Railities:
    • Make Rails' test runner work better with minitest plugins.
    • By demoting the Rails test runner to just another minitest plugin — and thereby not eager loading it — we can co-exist much better with other minitest plugins such as pride and minitest-focus.
    • Load environment file in dbconsole command.
    • Allow mounting the same engine several times in different locations.

As always, you can view whole list of changes at GitHub

If no regressions will be found, final release expected on Monday, 24th of July, 2017. Developers ask everyone who will face any issues, to open a GitHub issue and mention @kaspth in order to developers fix it as soon as possible.

SHA-256

Feel free to use this checksum in order to check version of your gem:

$ shasum -a 256 *-5.1.3.rc1.gem
3716fe810ac09651160af680e0622dba606eadc3532dc6100a09bc3dc46d8a79  actioncable-5.1.3.rc1.gem
9e734dcdb918f269bc027e31430648a58c205842b99c4990d19f33af41862027  actionmailer-5.1.3.rc1.gem
6f3739bea472a54a27b3982ea246028d4277580e2ff98c6343e07d95d54b29ad  actionpack-5.1.3.rc1.gem
482286af2d2146f6208e757fa29337dc73f9237c240bca753485992cf906bdb5  actionview-5.1.3.rc1.gem
2356ecbc1f1393a1577031894074d333fdc6d27e4ab9de796d2b97fff8676b8b  activejob-5.1.3.rc1.gem
f6ade74444578944fc3b8e376c4b050dda63bb7145abec4777dcb16867b42d30  activemodel-5.1.3.rc1.gem
72a886347747b61578a2aac1b34715042cb8f67fe43d8e53a2290220d08b8a3c  activerecord-5.1.3.rc1.gem
9220885a9d919430fa08cf72baf922000f7c36266d8f711498b7a6fb711eab2d  activesupport-5.1.3.rc1.gem
a06eded7f5e2bf1d6ecc69589062966bb701ccb8896d5aac5a6171ff38d037d4  rails-5.1.3.rc1.gem
727e65bc8c8fd359997bd1442c152f8628ddc318f68c9fba1ca603dda2db7766  railties-5.1.3.rc1.gem

 

Ruby and Rails to Get New Updates

Six vulnerabilities in the RubyGems package management system are now fixed and three in Rails framework
14 March 2019   615

There are corrective versions of the Ruby 2.6.2 and 2.5.4 programming language, which eliminate six vulnerabilities in the RubyGems package management system:

  • CVE-2019-8324: the ability to execute code when installing an untested package (an attacker can place the code on the gemspec and this code will be executed via a call to eval to ensure_loadable_spec at the verification stage before installation);
  • CVE-2019-8320: the ability to delete directories through manipulations with symbolic links when unpacking tar files;
  • CVE-2019-8321: the ability to substitute escape sequences through the handler Gem :: UserInteraction # verbose;
  • CVE-2019-8322: the ability to substitute escape sequences through the command "gem owner";
  • CVE-2019-8323: Ability to substitute escape sequences in the API handler (Gem :: GemcutterUtilities # with_response);
  • CVE-2019-8325: The ability to substitute escape sequences through error handlers (Gem :: CommandManager # run calls alert_error without escaping characters).

In addition, an update was provided to the Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2 framework. and 6.0.0.beta3 with the elimination of three vulnerabilities:

  • CVE-2019-5420 - potentially allows you to remotely execute your code on the server, when Rails is running in Development Mode. If there is information about the attacked application, you can predict the automatically generated mode token for developers, knowledge of which allows you to achieve the execution of your code;
  • CVE-2019-5418 is a vulnerability in the Action View that allows you to get the contents of arbitrary files from the server's file system by sending a specially crafted HTTP Accept header if the code in the "render file:" handler is present.
  • CVE-2019-5419 - DoS-vulnerability in Action View (MODULE / COMPONENT), allowing to achieve 100% load on the CPU through manipulations with the contents of the HTTP-header Accept;