dep: bump rails from 6.0.3.4 to 6.0.3.5 (!432) · Merge requests · multiple-projects / imported-project-acde40d48b76f2fa

George Koltsov requested to merge dependabot-bundler-rails-6.0.3.5 into master Feb 11, 2021

Bumps rails from 6.0.3.4 to 6.0.3.5.

Release notes

6.0.3.5

Active Support

No changes.

Active Model

No changes.

Active Record

Fix possible DoS vector in PostgreSQL money type

Carefully crafted input can cause a DoS via the regular expressions used for validating the money format in the PostgreSQL adapter. This patch fixes the regexp.

Thanks to @dee-see from Hackerone for this patch!

[CVE-2021-22880]

Aaron Patterson

Action View

No changes.

Action Pack

Prevent open redirect when allowed host starts with a dot

[CVE-2021-22881]

Thanks to @tktech (https://hackerone.com/tktech) for reporting this issue and the patch!

Aaron Patterson

... (truncated)

Commits

c5929d5 Preparing for 6.0.3.5 release
e330927 Prevent open redirect when allowed host starts with a dot
879d021 Fix possible DoS vector in PostgreSQL money type
See full diff in compare view

Admin message

Admin message

dep: bump rails from 6.0.3.4 to 6.0.3.5

6.0.3.5

Active Support

Active Model

Active Record

Action View

Action Pack

Merge request reports