Package: rails / 2:5.2.2.1+dfsg-1+deb10u3

Metadata

Package Version Patches format
rails 2:5.2.2.1+dfsg-1+deb10u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 Be careful with that bundler.patch | (download)

railties/lib/rails/generators/app_base.rb | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 be careful with that bundler


0002 disable uglify in activestorage rollup config js.patch | (download)

activestorage/rollup.config.js | 16 10 + 6 - 0 !
1 file changed, 10 insertions(+), 6 deletions(-)

 rollup-plugin-uglify is not packaged, hence disabling it.


CVE 2020 5267.patch | (download)

actionview/lib/action_view/helpers/javascript_helper.rb | 6 4 + 2 - 0 !
actionview/test/template/javascript_helper_test.rb | 8 8 + 0 - 0 !
2 files changed, 12 insertions(+), 2 deletions(-)

 fix possible xss vector in js escape helper
 This commit escapes dollar signs and backticks to prevent
 JS XSS issues when using the `j` or `javascript_escape` helper
CVE 2020 8165.patch | (download)

activesupport/lib/active_support/cache/mem_cache_store.rb | 14 2 + 12 - 0 !
activesupport/lib/active_support/cache/redis_cache_store.rb | 27 16 + 11 - 0 !
activesupport/test/cache/behaviors/cache_increment_decrement_behavior.rb | 12 6 + 6 - 0 !
activesupport/test/cache/behaviors/cache_store_behavior.rb | 6 3 + 3 - 0 !
activesupport/test/cache/behaviors/encoded_key_cache_behavior.rb | 8 4 + 4 - 0 !
activesupport/test/cache/behaviors/local_cache_behavior.rb | 10 5 + 5 - 0 !
activesupport/test/cache/stores/mem_cache_store_test.rb | 4 2 + 2 - 0 !
activesupport/test/cache/stores/redis_cache_store_test.rb | 3 2 + 1 - 0 !
8 files changed, 40 insertions(+), 44 deletions(-)

 [patch] activesupport: deprecate marshal.load on raw cache read in
 RedisCacheStore


CVE 2020 8162.patch | (download)

activestorage/lib/active_storage/service/s3_service.rb | 3 2 + 1 - 0 !
activestorage/test/service/s3_service_test.rb | 23 23 + 0 - 0 !
2 files changed, 25 insertions(+), 1 deletion(-)

 [patch] include content-length in signature for activestorage direct
 upload

[CVE-2020-8162]

CVE 2020 8164.patch | (download)

actionpack/lib/action_controller/metal/strong_parameters.rb | 2 2 + 0 - 0 !
actionpack/test/controller/parameters/accessors_test.rb | 8 8 + 0 - 0 !
2 files changed, 10 insertions(+)

 [patch] return self when calling #each, #each_pair, and #each_value
 instead of the raw @parameters hash

[CVE-2020-8164]

CVE 2020 8166.patch | (download)

actionpack/lib/action_controller/metal/request_forgery_protection.rb | 33 29 + 4 - 0 !
actionpack/test/controller/request_forgery_protection_test.rb | 33 33 + 0 - 0 !
2 files changed, 62 insertions(+), 4 deletions(-)

 [patch] hmac raw csrf token before masking it, so it cannot be used
 to reconstruct a per-form token

[CVE-2020-8166]

CVE 2020 8167.patch | (download)

actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch] check that request is same-origin prior to including csrf
 token in XHRs

[CVE-2020-8167]

CVE 2020 15169.patch | (download)

actionview/lib/action_view/helpers/translation_helper.rb | 13 12 + 1 - 0 !
actionview/test/template/translation_helper_test.rb | 7 7 + 0 - 0 !
2 files changed, 19 insertions(+), 1 deletion(-)

 [patch] fix xss vulnerability in `translate` helper

Prior to this commit, when a translation key indicated that the
translation text was HTML, the value returned by `I18n.translate` would
always be marked as `html_safe`.  However, the value returned by
`I18n.translate` could be an untrusted value directly from
`options[:default]`.

This commit ensures values directly from `options[:default]` are not
marked as `html_safe`.

CVE 2021 22904.patch | (download)

actionpack/lib/action_controller/metal/http_authentication.rb | 2 1 + 1 - 0 !
actionpack/test/controller/http_token_authentication_test.rb | 10 10 + 0 - 0 !
2 files changed, 11 insertions(+), 1 deletion(-)

 [patch] prevent slow regex when parsing host authorization header

The old regex could take too long when parsing an authorization header,
and this could potentially cause a DoS vulnerability

[CVE-2021-22904]

CVE 2021 22885.patch | (download)

actionpack/lib/action_dispatch/routing/polymorphic_routes.rb | 12 8 + 4 - 0 !
actionpack/test/controller/redirect_test.rb | 45 45 + 0 - 0 !
actionview/test/activerecord/polymorphic_routes_test.rb | 22 16 + 6 - 0 !
3 files changed, 69 insertions(+), 10 deletions(-)

 [patch] prevent string polymorphic route arguments

url_for supports building polymorphic URLs via an array
of arguments (usually symbols and records). If an array is passed,
strings can result in unwanted route helper calls.

CVE-2021-22885

CVE 2021 22880.patch | (download)

activerecord/lib/active_record/connection_adapters/postgresql/oid/money.rb | 4 2 + 2 - 0 !
activerecord/test/cases/adapters/postgresql/money_test.rb | 12 12 + 0 - 0 !
2 files changed, 14 insertions(+), 2 deletions(-)

 [patch] make currency symbols optional for money column type in
 PostgreSQL