New release required due to XSS security issues
lao opened this issue · comments
Due to the following vulnerability:
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577.
Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1Fullcontent: https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
The latest released version of the gem is not allowing us to fix this vulnerability. In the version 6.3.0
the latest release, we have this version range:
['>= 5.2.0', '<= 6.1']
Line 10 in 2ccf2f3
Which does not allow us to update railties
and actionrecord
to version 6.1.5.1
which fixes the security issues.
Is there a reason why master was not released? It seems to have a version range that corrects the issue.
I'm also looking forward to find out more about it.
I'm closing this as a duplicate of #68. A release should be coming up shortly, you should monitor that issue for news.