Skip to content

dep: bump rails from 6.0.3.4 to 6.0.3.5

George Koltsov requested to merge dependabot-bundler-rails-6.0.3.5 into master

Bumps rails from 6.0.3.4 to 6.0.3.5.

Release notes

Sourced from rails's releases.

6.0.3.5

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • Fix possible DoS vector in PostgreSQL money type

    Carefully crafted input can cause a DoS via the regular expressions used for validating the money format in the PostgreSQL adapter. This patch fixes the regexp.

    Thanks to @dee-see from Hackerone for this patch!

    [CVE-2021-22880]

    Aaron Patterson

Action View

  • No changes.

Action Pack

  • Prevent open redirect when allowed host starts with a dot

    [CVE-2021-22881]

    Thanks to @tktech (https://hackerone.com/tktech) for reporting this issue and the patch!

    Aaron Patterson

... (truncated)

Commits
  • c5929d5 Preparing for 6.0.3.5 release
  • e330927 Prevent open redirect when allowed host starts with a dot
  • 879d021 Fix possible DoS vector in PostgreSQL money type
  • See full diff in compare view

Merge request reports

Loading