Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚨 [security] Update activemodel 7.0.4.3 → 7.0.7.2 (patch) #551

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

🚨 [security] Update activemodel 7.0.4.3 → 7.0.7.2 (patch) #551

wants to merge 1 commit into from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Aug 23, 2023

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ activemodel (indirect, 7.0.4.3 → 7.0.7.2) · Repo · Changelog

Release Notes

7.0.7.1 (from changelog)

  • No changes.

7.0.7 (from changelog)

  • Error.full_message now strips ":base" from the message.

    zzak

  • Add a load hook for ActiveModel::Model (named active_model) to match the load hook for ActiveRecord::Base and allow for overriding aspects of the ActiveModel::Model class.

7.0.6 (from changelog)

  • No changes.

7.0.5.1 (from changelog)

  • No changes.

7.0.5 (from changelog)

  • No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

↗️ activerecord (indirect, 7.0.4.3 → 7.0.7.2) · Repo · Changelog

Release Notes

7.0.7.1 (from changelog)

  • No changes.

7.0.7 (from changelog)

  • Restores functionality to the missing method when using enums and fixes.

    paulreece

  • Fix StatementCache::Substitute with serialized type.

    ywenc

  • Fix :db_runtime on notification payload when application have multiple databases.

    Eileen M. Uchitelle

  • Correctly dump check constraints for MySQL 8.0.16+.

    Steve Hill

  • Fix ActiveRecord::QueryMethods#in_order_of to include nils, to match the behavior of Enumerable#in_order_of.

    For example, Post.in_order_of(:title, [nil, "foo"]) will now include posts with nil titles, the same as Post.all.to_a.in_order_of(:title, [nil, "foo"]).

    fatkodima

  • Revert "Fix autosave associations with validations added on :base of the associated objects."

    This change intended to remove the :base attribute from the message, but broke many assumptions which key these errors were stored.

    zzak

  • Fix #previously_new_record? to return true for destroyed records.

    Before, if a record was created and then destroyed, #previously_new_record? would return true. Now, any UPDATE or DELETE to a record is considered a change, and will result in #previously_new_record? returning false.

    Adrianna Chang

  • Revert breaking changes to has_one relationship deleting the old record before the new one is validated.

    zzak

  • Fix support for Active Record instances being uses in queries.

    As of 7.0.5, query arguments were deep duped to avoid mutations impacting the query cache, but this had the adverse effect to clearing the primary key when the query argument contained an ActiveRecord::Base instance.

    This broke the noticed gem.

    Jean Boussier

7.0.6 (from changelog)

  • Fix autosave associations with validations added on :base of the associated objects.

    fatkodima

  • Fix result with anonymous PostgreSQL columns of different type from json.

    Oleksandr Avoiants

  • Preserve timestamp when setting an ActiveSupport::TimeWithZone value to timestamptz attribute.

    fatkodima

  • Fix where on association with has_one/has_many polymorphic relations.

    Before:

    Treasure.where(price_estimates: PriceEstimate.all)
#=> SELECT (...) WHERE "treasures"."id" IN (SELECT "price_estimates"."estimate_of_id" FROM "price_estimates")

    Later:

    Treasure.where(price_estimates: PriceEstimate.all)
#=> SELECT (...) WHERE "treasures"."id" IN (SELECT "price_estimates"."estimate_of_id" FROM "price_estimates" WHERE "price_estimates"."estimate_of_type" = 'Treasure')

    Lázaro Nixon

  • Fix decrementing counter caches on optimistically locked record deletion

    fatkodima

  • Ensure binary-destined values have binary encoding during type cast.

    Matthew Draper

  • Preserve existing column default functions when altering table in SQLite.

    fatkodima

  • Remove table alias added when using where.missing or where.associated.

    fatkodima

  • Fix Enumerable#in_order_of to only flatten first level to preserve nesting.

    Miha Rekar

7.0.5.1 (from changelog)

  • No changes.

7.0.5 (from changelog)

  • Type cast #attribute_changed? :from and :to options.

    Andrew Novoselac

  • Fix index_exists? when column is an array.

    Eileen M. Uchitelle

  • Handle Date objects for PostgreSQL timestamptz columns.

    Alex Ghiculescu

  • Fix collation for changing column to non-string.

    Hartley McGuire

  • Map through subtype in PostgreSQL::OID::Array.

    Jonathan Hefner

  • Store correct environment in internal_metadata when run rails db:prepare.

    fatkodima

  • Make sure ActiveRecord::Relation#sum works with objects that implement #coerce without deprecation.

    Alex Ghiculescu

  • Fix retrieving foreign keys referencing tables named like keywords in PostgreSQL and MySQL.

    fatkodima

  • Support UUIDs in Disable Joins.

    Samuel Cochran

  • Fix Active Record's explain for queries starting with comments.

    fatkodima

  • Fix incorrectly preloading through association records when middle association has been loaded.

    Joshua Young

  • Fix where.missing and where.associated for parent/child associations.

    fatkodima

  • Fix Enumerable#in_order_of to preserve duplicates.

    fatkodima

  • Fix autoincrement on primary key for mysql.

    Eileen M. Uchitelle

  • Restore ability to redefine column in create_table for Rails 5.2 migrations.

    fatkodima

  • Fix schema cache dumping of virtual columns.

    fatkodima

  • Fix Active Record grouped calculations on joined tables on column present in both tables.

    fatkodima

  • Fix mutation detection for serialized attributes backed by binary columns.

    Jean Boussier

  • Fix a bug where using groups and counts with long table names would return incorrect results.

    Shota Toguchi, Yusaku Ono

  • Use connection from #with_raw_connection in #quote_string.

    Prior to this change, virtual datetime columns did not have the same default precision as regular datetime columns, resulting in the following being erroneously equivalent:

    t.virtual :name, type: datetime,                 as: "expression"
t.virtual :name, type: datetime, precision: nil, as: "expression"

    This change fixes the default precision lookup, so virtual and regular datetime column default precisions match.

    Sam Bostock

  • Fix a case where the query cache can return wrong values. See #46044

    Aaron Patterson

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

↗️ activesupport (indirect, 7.0.4.3 → 7.0.7.2) · Repo · Changelog

Security Advisories 🚨

🚨 Possible File Disclosure of Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077
Release Notes

7.0.7.1 (from changelog)

  • Use a temporary file for storing unencrypted files while editing

    [CVE-2023-38037]

7.0.7 (from changelog)

  • Fix Cache::NullStore with local caching for repeated reads.

    fatkodima

  • Fix to_s with no arguments not respecting custom :default formats

    Hartley McGuire

  • Fix ActiveSupport::Inflector.humanize(nil) raising NoMethodError: undefined method `end_with?' for nil:NilClass.

    James Robinson

  • Fix Enumerable#sum for Enumerator#lazy.

    fatkodima, Matthew Draper, Jonathan Hefner

  • Improve error message when EventedFileUpdateChecker is used without a compatible version of the Listen gem

    Hartley McGuire

7.0.6 (from changelog)

  • Fix EncryptedConfiguration returning incorrect values for some Hash methods

    Hartley McGuire

  • Fix arguments being destructed Enumerable#many? with block.

    Andrew Novoselac

  • Fix humanize for strings ending with id.

    fatkodima

7.0.5.1 (from changelog)

  • No changes.

7.0.5 (from changelog)

  • Fixes TimeWithZone ArgumentError.

    Niklas Häusele

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

↗️ i18n (indirect, 1.12.0 → 1.14.1) · Repo · Changelog

Release Notes

1.14.1

Included in this release

  • Simplify the "Translation missing" message when default is an empty Array by @amatsuda in #662

Maintenance stuff

Thanks to @amatsuda for these PRs!

New Contributors

Full Changelog: v1.14.0...v1.14.1

1.14.0

What's Changed

  • fix LazyLoadable#available_locales duplicating locales by @ccutrer in #655
  • Add more helpful translation error when :default option is provided. by @Nerian in #654
  • Fix I18n::Locale::Fallbacks not initializing itself on Ruby 3 by @yheuhtozr in #653
  • Fix I18n.t when locale contains separator by @tubaxenor in #656
    • This reverts a change from #651, that was released in v1.13.0

New Contributors

Full Changelog: v1.13.0...v1.14.0

1.13.0

What's Changed

New Contributors

Full Changelog: v1.12.0...v1.13.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 51 commits:

↗️ minitest (indirect, 5.18.0 → 5.19.0) · Repo · Changelog

Release Notes

5.19.0 (from changelog)

  • 2 minor enhancements:

    • Add metadata lazy accessor to Runnable / Result. (matteeyah)

    • Only load minitest/unit (aka ancient MiniTest compatibility layer) if ENV

  • 1 bug fix:

    • Minitest::TestTask enthusiastically added itself to default. (ParadoxV5)

5.18.1 (from changelog)

  • 3 bug fixes:

    • Avoid extra string allocations when filtering tests. (tenderlove)

    • Only mention deprecated ENV if it is an integer string.

    • Push up test_order to Minitest::Runnable to fix minitest/hell. (koic)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Aug 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
depfu
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants