departurerb / departure

Percona's pt-online-schema-change runner for ActiveRecord migrations.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

New release required due to XSS security issues

lao opened this issue · comments

Due to the following vulnerability:

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Fullcontent: https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533

The latest released version of the gem is not allowing us to fix this vulnerability. In the version 6.3.0 the latest release, we have this version range:

['>= 5.2.0', '<= 6.1']

RAILS_DEPENDENCY_VERSION = ENV.fetch('RAILS_VERSION', ['>= 5.2.0', '<= 6.1'])

Which does not allow us to update railties and actionrecord to version 6.1.5.1 which fixes the security issues.

Is there a reason why master was not released? It seems to have a version range that corrects the issue.

I'm also looking forward to find out more about it.

I'm closing this as a duplicate of #68. A release should be coming up shortly, you should monitor that issue for news.