🚨 [security][ruby] 모든 rails:6.0.2.2 업데이트→ 6.0.3.3(패치)

묘사

🚨 현재 의존 항목에 알려진 보안 결함이 있습니다🚨
이 의존 항목 업데이트는 이미 알려진 보안 빈틈을 복구했습니다.아래의 상세한 정보를 보고 그 영향을 자세히 평가해 주십시오.우리는 가능한 한 빨리 그것을 합병하고 배치할 것을 건의합니다.
다음은 업데이트에 대해 알아야 할 모든 정보입니다.이 요청을 통합하기 전에 변경된 내용과 테스트 결과를 자세히 보십시오.

뭐가 바뀌었어?

✳️ 트랙(6.0.2.2.2→ 6.0.3.3)·환매

릴리즈 노트

6.0.3

In this version, we fixed warnings when used with Ruby 2.7 across the entire framework.

Following are the list of other changes, per-framework.

적극적 으로 지지하다

• Array#to_sentence no longer returns a frozen string.

  Before:

  ['one', 'two'].to_sentence.frozen?
  # => true
  

  After:

  ['one', 'two'].to_sentence.frozen?
  # => false
  

  Nicolas Dular

• Update ActiveSupport::Messages::Metadata#fresh? to work for cookies with expiry set when
  ActiveSupport.parse_json_times = true.

  Christian Gregg

능동 모형

• No changes.

활동 레코드

• Recommend applications don't use the database kwarg in connected_to

  The database kwarg in connected_to was meant to be used for one-off scripts but is often used in requests. This is really dangerous because it re-establishes a connection every time. It's deprecated in 6.1 and will be removed in 6.2 without replacement. This change soft deprecates it in 6.0 by removing documentation.

  Eileen M. Uchitelle

• Fix support for PostgreSQL 11+ partitioned indexes.

  Sebastián Palma

• Add support for beginless ranges, introduced in Ruby 2.7.

  Josh Goodall

• Fix insert_all with enum values

  Fixes #38716.

  Joel Blum

• Regexp-escape table name for MS SQL

  Add Regexp.escape to one method in ActiveRecord, so that table names with regular expression characters in them work as expected. Since MS SQL Server uses "[" and "]" to quote table and column names, and those characters are regular expression characters, methods like pluck and select fail in certain cases when used with the MS SQL Server adapter.

  Larry Reid

• Store advisory locks on their own named connection.

  Previously advisory locks were taken out against a connection when a migration started. This works fine in single database applications but doesn't work well when migrations need to open new connections which results in the lock getting dropped.

  In order to fix this we are storing the advisory lock on a new connection with the connection specification name AdisoryLockBase. The caveat is that we need to maintain at least 2 connections to a database while migrations are running in order to do this.

  Eileen M. Uchitelle, John Crepezzi

• Ensure :reading connections always raise if a write is attempted.

  Now Rails will raise an ActiveRecord::ReadOnlyError if any connection on the reading handler attempts to make a write. If your reading role needs to write you should name the role something other than :reading.

  Eileen M. Uchitelle

• Enforce fresh ETag header after a collection's contents change by adding
  ActiveRecord::Relation#cache_key_with_version. This method will be used by
  ActionController::ConditionalGet to ensure that when collection cache versioning
  is enabled, requests using ConditionalGet don't return the same ETag header
  after a collection is modified. Fixes #38078.

  Aaron Lipman

• A database URL can now contain a querystring value that contains an equal sign. This is needed to support passing PostgresSQL options.

  Joshua Flanagan

• Retain explicit selections on the base model after applying includes and joins.

  Resolves #34889.

  Patrick Rebsch

동작 뷰

• annotated_source_code returns an empty array so TemplateErrors without a
  template in the backtrace are surfaced properly by DebugExceptions.

  Guilherme Mansur, Kasper Timm Hansen

• Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.

  Guilherme Mansur, Gannon McGibbon

행동 꾸러미

• Include child session assertion count in ActionDispatch::IntegrationTest

  IntegrationTest#open_session uses dup to create the new session, which
  meant it had its own copy of @assertions. This prevented the assertions
  from being correctly counted and reported.

  Child sessions now have their attr_accessor overriden to delegate to the
  root session.

  Fixes #32142

  Sam Bostock

재직 중

• While using perform_enqueued_jobs test helper enqueued jobs must be stored for the later check with
  assert_enqueued_with.

  Dmitry Polushkin

• Add queue name support to Que adapter

  Brad Nauta, Wojciech Wnętrzak

행동 우체부

• No changes.

행동선

• No changes.

액티브 기억 장치

• No changes.

행동 메일박스

• Update Mandrill inbound email route to respond appropriately to HEAD requests for URL health checks from Mandrill.

  Bill Cromie

동작 텍스트

• No changes.

난간.

• Cache compiled view templates when running tests by default

  When generating a new app without --skip-spring, caching classes is
  disabled in environments/test.rb. This implicitly disables caching
  view templates too. This change will enable view template caching by
  adding this to the generated environments/test.rb:

  config.action_view.cache_template_loading = true

  Jorge Manrubia

• Rails::Application#eager_load! is available again to load application code
  manually as it was possible in previous versions.

  Please, note this is not integrated with the whole eager loading logic that
  runs when Rails boots with eager loading enabled, you can think of this
  method as a vanilla recursive code loader.

  This ability has been restored because there are some use cases for it, such
  as indexers that need to have all application classes and modules in memory.

  Xavier Noria

• Generators that inherit from NamedBase respect --force option

  Josh Brody

• Regression fix: The Rake task zeitwerk:check supports eager loaded
  namespaces which do not have eager load paths, like the recently added
  i18n. These namespaces are only required to respond to eager_load!.

  Xavier Noria

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ actioncable(간접, 6.0.2.2→ 6.0.3.3)·환매·변경기록

릴리즈 노트

6.0.3.2(변경 로그로부터)

• No changes.

6.0.3.1(변경 로그로부터)

• No changes.

6.0.3(변경 로그로부터)

• No changes.

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ actionmailbox(간접, 6.0.2.2→ 6.0.3.3)·환매·변경기록

↗️ actionmailer(간접, 6.0.2.2→ 6.0.3.3)·환매·변경기록

릴리즈 노트

6.0.3.2(변경 로그로부터)

• No changes.

6.0.3.1(변경 로그로부터)

• No changes.

6.0.3(변경 로그로부터)

• No changes.

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ actionpack(간접, 6.0.2.2→ 6.0.3.3)·환매·변경기록

안전 자문🚨

🚨 신뢰할 수 없는 사용자가 운영 환경에서 중단된 마이그레이션을 실행할 수 있음

There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed
an untrusted user to run any pending migrations on a Rails app running in
production.

This vulnerability has been assigned the CVE identifier CVE-2020-8185.

Versions Affected: 6.0.0 < rails < 6.0.3.2
Not affected: Applications with config.action_dispatch.show_exceptions = false (this is not a default setting in production)
Fixed Versions: rails >= 6.0.3.2

영향

Using this issue, an attacker would be able to execute any migrations that
are pending for a Rails app running in production mode. It is important to
note that an attacker is limited to running migrations the application
developer has already defined in their application and ones that have not
already ran.

임기응변의 조치

Until such time as the patch can be applied, application developers should
disable the ActionDispatch middleware in their production environment via
a line such as this one in their config/environment/production.rb:

config.middleware.delete ActionDispatch::ActionableExceptions

🚨 ActionPack에 존재할 수 있는 강력한 매개 변수 옆길

There is a strong parameters bypass vector in ActionPack.

Versions Affected: rails <= 6.0.3
Not affected: rails < 4.0.0
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

영향

In some cases user supplied information can be inadvertently leaked from
Strong Parameters. Specifically the return value of each, or each_value,
or each_pair will return the underlying "untrusted" hash of data that was
read from the parameters. Applications that use this return value may be
inadvertently use untrusted user input.

Impacted code will look something like this:

def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end

Note the mistaken use of each in the clean_up_params method in the above
example.

임기응변의 조치

Do not use the return values of each, each_value, or each_pair in your
application.

🚨 글로벌 CSRF 토큰이 지정된 상태에서 각 형식의 CSRF 토큰을 위조할 수 있음

It is possible to possible to, given a global CSRF token such as the one
present in the authenticity_token meta tag, forge a per-form CSRF token for
any action for that session.

Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications without existing HTML injection vulnerabilities.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

영향

Given the ability to extract the global CSRF token, an attacker would be able to
construct a per-form CSRF token for that session.

임기응변의 조치

This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.

릴리즈 노트

6.0.3.2(변경 로그로부터)

• [CVE-2020-8185] Only allow ActionableErrors if show_detailed_exceptions is enabled

6.0.3.1(변경 로그로부터)

• [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token

• [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash

6.0.3(변경 로그로부터)

• Include child session assertion count in ActionDispatch::IntegrationTest

  IntegrationTest#open_session uses dup to create the new session, which meant it had its own copy of @assertions. This prevented the assertions from being correctly counted and reported.

  Child sessions now have their attr_accessor overriden to delegate to the root session.

  Fixes #32142

  Sam Bostock

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ actiontext(간접, 6.0.2.2→ 6.0.3.3)·환매·변경기록

릴리즈 노트

6.0.3.2(변경 로그로부터)

• No changes.

6.0.3.1(변경 로그로부터)

• No changes.

6.0.3(변경 로그로부터)

• No changes.

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ actionview(간접, 6.0.2.2→ 6.0.3.3)·환매·변경기록

안전 자문🚨

🚨 Action View의 잠재적 XSS 취약성

There is a potential Cross-Site Scripting (XSS) vulnerability in Action
View's translation helpers. Views that allow the user to control the
default (not found) value of the t and translate helpers could be
susceptible to XSS attacks.

영향

When an HTML-unsafe string is passed as the default for a missing
translation key named html or ending in _html,
the default string is incorrectly marked as HTML-safe and not escaped.
Vulnerable code may look like the following examples:

<%# The welcome_html translation is not defined for the current locale: %>
<%= t("welcome_html", default: untrusted_user_controlled_string) %>

<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>
<%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %>

임기응변의 조치

Impacted users who can’t upgrade to a patched Rails version can avoid
this issue by manually escaping default translations with the
html_escape helper (aliased as h):

<%= t("welcome_html", default: h(untrusted_user_controlled_string)) %>

🚨 rails ujs의 CSRF 취약점

There is an vulnerability in rails-ujs that allows attackers to send
CSRF tokens to wrong domains.

Versions Affected: rails <= 6.0.3
Not affected: Applications which don't use rails-ujs.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

영향

This is a regression of CVE-2015-1840.

In the scenario where an attacker might be able to control the href attribute of an anchor tag or
the action attribute of a form tag that will trigger a POST action, the attacker can set the
href or action to a cross-origin URL, and the CSRF token will be sent.

임기응변의 조치

To work around this problem, change code that allows users to control the href attribute of an anchor
tag or the action attribute of a form tag to filter the user parameters.

For example, code like this:

link_to params

to code like this:

link_to filtered_params

def filtered_params
  # Filter just the parameters that you trust
end

릴리즈 노트

6.0.3.2(변경 로그로부터)

• No changes.

6.0.3.1(변경 로그로부터)

• [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs

6.0.3(변경 로그로부터)

• annotated_source_code returns an empty array so TemplateErrors without a template in the backtrace are surfaced properly by DebugExceptions.

  Guilherme Mansur, Kasper Timm Hansen

• Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.

  Guilherme Mansur, Gannon McGibbon

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ activejob(간접, 6.0.2.2→ 6.0.3.3)·환매·변경기록

릴리즈 노트

6.0.3.2(변경 로그로부터)

• No changes.

6.0.3.1(변경 로그로부터)

• No changes.

6.0.3(변경 로그로부터)

• While using perform_enqueued_jobs test helper enqueued jobs must be stored for the later check with assert_enqueued_with.

  Dmitry Polushkin

• Add queue name support to Que adapter

  Brad Nauta, Wojciech Wnętrzak

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ activemodel(간접, 6.0.2.2→ 6.0.3.3)·환매·변경기록

릴리즈 노트

6.0.3.2(변경 로그로부터)

• No changes.

6.0.3.1(변경 로그로부터)

• No changes.

6.0.3(변경 로그로부터)

• No changes.

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ activerecord(간접, 6.0.2.2→ 6.0.3.3)·환매·변경기록

릴리즈 노트

6.0.3.2(변경 로그로부터)

• No changes.

6.0.3.1(변경 로그로부터)

• No changes.

6.0.3(변경 로그로부터)

• Recommend applications don't use the database kwarg in connected_to

  The database kwarg in connected_to was meant to be used for one-off scripts but is often used in requests. This is really dangerous because it re-establishes a connection every time. It's deprecated in 6.1 and will be removed in 6.2 without replacement. This change soft deprecates it in 6.0 by removing documentation.

  Eileen M. Uchitelle

• Fix support for PostgreSQL 11+ partitioned indexes.

  Sebastián Palma

• Add support for beginless ranges, introduced in Ruby 2.7.

  Josh Goodall

• Fix insert_all with enum values

  Fixes #38716.

  Joel Blum

• Regexp-escape table name for MS SQL

  Add Regexp.escape to one method in ActiveRecord, so that table names with regular expression characters in them work as expected. Since MS SQL Server uses "[" and "]" to quote table and column names, and those characters are regular expression characters, methods like pluck and select fail in certain cases when used with the MS SQL Server adapter.

  Larry Reid

• Store advisory locks on their own named connection.

  Previously advisory locks were taken out against a connection when a migration started. This works fine in single database applications but doesn't work well when migrations need to open new connections which results in the lock getting dropped.

  In order to fix this we are storing the advisory lock on a new connection with the connection specification name AdisoryLockBase. The caveat is that we need to maintain at least 2 connections to a database while migrations are running in order to do this.

  Eileen M. Uchitelle, John Crepezzi

• Ensure :reading connections always raise if a write is attempted.

  Now Rails will raise an ActiveRecord::ReadOnlyError if any connection on the reading handler attempts to make a write. If your reading role needs to write you should name the role something other than :reading.

  Eileen M. Uchitelle

• Enforce fresh ETag header after a collection's contents change by adding ActiveRecord::Relation#cache_key_with_version. This method will be used by ActionController::ConditionalGet to ensure that when collection cache versioning is enabled, requests using ConditionalGet don't return the same ETag header after a collection is modified. Fixes #38078.

  Aaron Lipman

• A database URL can now contain a querystring value that contains an equal sign. This is needed to support passing PostgresSQL options.

  Joshua Flanagan

• Retain explicit selections on the base model after applying includes and joins.

  Resolves #34889.

  Patrick Rebsch

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ activestorage(간접 스토리지, 6.0.2.2→ 6.0.3.3)·환매·변경기록

안전 자문🚨

🚨 ActiveStorage에서 파일 크기 제한 방지

There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a
direct file upload to be modified by an end user.

Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1
Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

영향

Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a
new signature from the server. This could be used to bypass controls in place on the server to limit upload size.

임기응변의 조치

This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.

릴리즈 노트

6.0.3.2(변경 로그로부터)

• No changes.

6.0.3.1(변경 로그로부터)

• [CVE-2020-8162] Include Content-Length in signature for ActiveStorage direct upload

6.0.3(변경 로그로부터)

• No changes.

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ activesupport(간접, 6.0.2.2→ 6.0.3.3)·환매·변경기록

안전 자문🚨

🚨 MemCacheStore와 RedisCacheStore에서 사용자가 제공한 대상의 잠재적 의외 해제

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

data = cache.fetch("demo", raw: true) { untrusted_string }

Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

영향

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

임기응변의 조치

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

릴리즈 노트

6.0.3.2(변경 로그로부터)

• No changes.

6.0.3.1(변경 로그로부터)

• [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore

• [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore

6.0.3(변경 로그로부터)

• Array#to_sentence no longer returns a frozen string.

  Before:

  ['one', 'two'].to_sentence.frozen?
  # => true
  

  After:

  ['one', 'two'].to_sentence.frozen?
  # => false
  

  Nicolas Dular

• Update ActiveSupport::Messages::Metadata#fresh? to work for cookies with expiry set when ActiveSupport.parse_json_times = true.

  Christian Gregg

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ 동시 루비(간접, 1.1.6)→ 1.1.7)·환매·변경기록

릴리즈 노트

1.1.7(변경 로그로부터)

concurrent-ruby:

• (#879) Consider falsy value on Concurrent::Map#compute_if_absent for fast non-blocking path
• (#876) Reset Async queue on forking, makes Async fork-safe
• (#856) Avoid running problematic code in RubyThreadLocalVar on MRI that occasionally results in segfault
• (#853) Introduce ThreadPoolExecutor without a Queue

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ i18n(간접, 1.8.2→ 1.8.5)·환매·변경기록

릴리즈 노트

1.8.4

• Fixed issue where fallbacks were not working when I18n.fallbacks was an array - #534
• Fixed conditional around deprecating constant of INTERPOLATION_PATTERN - #531

1.8.3

Compare view: v1.8.2...v1.8.3

기능/개선

• Memory and speed improvements - #527+ #528
• Add option to disable fallbacks for I18n.exists? check - #482
• Add an on_fallback hook to allow users to be notified when a fallback happens - #520

취약점 수리

• Fix an issue with deep_merge and chain fallback backends - #499 & #509
• Fix an issue with Rails ordinal number proc and keyword splatting - #521
• Pass options as keyword arguments to translation procs - #529
• Fix pluralize on unknown locale with attributes - #519

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ 수세미외(간접, 2.4.0)→ 2.7.0)·환매·변경기록

릴리즈 노트

2.7.0

2.7.0 / 2020-08-26

특징.

• Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

복구

• Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

2.6.0(changelog에서 온)

특징.

• Allow CSS border-style keywords. [#188] (Thanks, @tarcisiozf!)

2.5.0(changelog에서 온)

특징.

• Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

복구

• Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

기타 변화

• Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
• Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ mimemagic(간접, 0.3.4→ 0.3.5)·환매·변경기록

릴리즈 노트

0.3.5(변경 로그로부터)

Mimetype extensions are now ordered by freedesktop.org's priority

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ 미니 테스트(간접 테스트, 5.14.0)→ 5.14.2)·환매·변경기록

릴리즈 노트

5.14.2(변경 로그로부터)

• 1 bug fix:

  • Bumped ruby version to include 3.0 (trunk).

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ nio4r(간접, 2.5.2→ 2.5.3)·환매·변경기록

릴리즈 노트

2.5.3(변경 로그로부터)

• #241 Possible bug with Ruby >= 2.7.0 and GC.compact. (@boazsegev)

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ nokogiri(간접, 1.10.9)→ 1.10.10)·환매·변경기록

릴리즈 노트

1.10.10

1.10.10 / 2020-07-06

특징.

• [MRI] Cross-built Windows gems now support Ruby 2.7 [#2029]. Note that prior to this release, the v1.11.x prereleases provided this support.

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ 철도(간접, 6.0.2.2)→ 6.0.3.3)·환매·변경기록

릴리즈 노트

6.0.3.2(변경 로그로부터)

• No changes.

6.0.3.1(변경 로그로부터)

• No changes.

6.0.3(변경 로그로부터)

• Cache compiled view templates when running tests by default

  When generating a new app without --skip-spring, caching classes is disabled in environments/test.rb. This implicitly disables caching view templates too. This change will enable view template caching by adding this to the generated environments/test.rb:

  config.action_view.cache_template_loading = true

  Jorge Manrubia

• Rails::Application#eager_load! is available again to load application code manually as it was possible in previous versions.

  Please, note this is not integrated with the whole eager loading logic that runs when Rails boots with eager loading enabled, you can think of this method as a vanilla recursive code loader.

  This ability has been restored because there are some use cases for it, such as indexers that need to have all application classes and modules in memory.

  Xavier Noria

• Generators that inherit from NamedBase respect --force option

  Josh Brody

• Regression fix: The Rake task zeitwerk:check supports eager loaded namespaces which do not have eager load paths, like the recently added i18n. These namespaces are only required to respond to eager_load!.

  Xavier Noria

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ 체인 휠(간접, 4.0.0.0→ 4.0.2)·환매·변경기록

릴리즈 노트

4.0.2(변경 로그로부터)

• Fix etag and digest path compilation that were generating string with invalid digest since 4.0.1.

4.0.1(변경 로그로부터)

• Fix for Ruby 2.7 keyword arguments warning in base.rb. #660
• Fix for when x_sprockets_linecount is missing from a source map.
• Fix subresource integrity to match the digest of the asset.

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ tzinfo(간접, 1.2.6→ 1.2.7)·환매·변경기록

릴리즈 노트

1.2.7

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ 웹소켓 드라이버 (간접, 0.7.1→ 0.7.3)·환매·변경기록

릴리즈 노트

0.7.3(변경 로그로부터)

• Let the client accept HTTP responses that have an empty reason phrase following the 101 status code

0.7.2(변경 로그로부터)

• Emit ping and pong events from the Server driver
• Handle draft-76 handshakes correctly if the request's body is a frozen string

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ 웹소켓 확장(간접, 0.1.4→ 0.1.5)·환매·변경기록

안전 자문🚨

🚨 웹소켓 확장의 정규 표현식 서비스 거부(RubyGem)

영향

The ReDoS flaw allows an attacker to exhaust the server's capacity to process
incoming requests by sending a WebSocket handshake request containing a header
of the following form:

Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...

That is, a header containing an unclosed string parameter value whose content is
a repeating two-byte sequence of a backslash and some other character. The
parser takes exponential time to reject this header as invalid, and this will
block the processing of any other work on the same thread. Thus if you are
running a single-threaded server, such a request can render your service
completely unavailable.

임기응변의 조치

There are no known work-arounds other than disabling any public-facing WebSocket functionality you are operating.

릴리즈 노트

0.1.5(변경 로그로부터)

• Remove a ReDoS vulnerability in the header parser (CVE-2020-7663)

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

↗️ zeitwerk(간접, 2.3.0)→ 2.4.0)·환매·변경기록

릴리즈 노트

2.4.0(changelog에서 온)

• Zeitwerk::Loader#push_dir supports an optional namespace keyword argument. Pass a class or module object if you want the given root directory to be associated with it instead of Object. Said class or module object cannot be reloadable.

• The default inflector is even more performant.

2.3.1(변경 로그로부터)

• Saves some unnecessary allocations made internally by MRI. See #125, by @casperisfine.

• Documentation improvements.

• Internal code base maintenance.

이게 틀린 것 같나요?Please let us know.
언약
See the full diff on Github . 새로운 버전의 차이는 우리가 이곳에서 보여준 것보다 더 많다.

Depfu 분기에 커밋을 추가하지 않는 한 이 PR이 충돌하지 않도록 자동으로 유지됩니다.@depfu rebase 주석을 사용하여 수동으로 터치할 수도 있습니다.
모든 Depfu 주석 명령

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

토론 #1

는 #222로 종료됩니다.