Update to Rails v6.0.3.6 (!59328) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-update-rails-6.0.3.6 into master Apr 13, 2021

Changes:

rails: https://my.diffend.io/gems/rails/6.0.3.4/6.0.3.6
actionpack: https://my.diffend.io/gems/actionpack/6.0.3.4/6.0.3.6
activerecord: https://my.diffend.io/gems/activerecord/6.0.3.4/6.0.3.6
activestorage: https://my.diffend.io/gems/activestorage/6.0.3.4/6.0.3.6

Release notes: https://github.com/rails/rails/releases

6.0.3.6

Active Storage

Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.

6.0.3.5

Active Record:

Fix possible DoS vector in PostgreSQL money type

Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.

Thanks to @dee-see from Hackerone for this patch!

[CVE-2021-22880]

Aaron Patterson

Action Pack

Prevent open redirect when allowed host starts with a dot

[CVE-2021-22881]

Thanks to @TkTech (https://hackerone.com/tktech) for reporting this
issue and the patch!

Aaron Patterson

Edited Apr 14, 2021 by Stan Hu

Update to Rails v6.0.3.6

6.0.3.6

6.0.3.5

Merge request reports