diff options
author | John Hawthorn <john@hawthorn.email> | 2019-03-22 13:43:56 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-03-22 13:43:56 -0700 |
commit | b27885c6c2756fb98c52a75fd9c02b26d39f3cf3 (patch) | |
tree | 4ca31fe57955e0a7d45d6e99dd7cd94ce85621f5 | |
parent | 1d2f553d16d8e3ee1dd6622b96ad98a72ea98d2d (diff) | |
parent | 5c2d695993080f294c54353954254aa44c6da12c (diff) | |
download | rails-b27885c6c2756fb98c52a75fd9c02b26d39f3cf3.tar.gz rails-b27885c6c2756fb98c52a75fd9c02b26d39f3cf3.tar.bz2 rails-b27885c6c2756fb98c52a75fd9c02b26d39f3cf3.zip |
Merge pull request #35715 from jhawthorn/changelog_for_cves_6_0
Update CHANGELOGs for 6.0.0.beta3 release
-rw-r--r-- | actionview/CHANGELOG.md | 11 | ||||
-rw-r--r-- | railties/CHANGELOG.md | 12 |
2 files changed, 21 insertions, 2 deletions
diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md index d07794ddf3..6717004ceb 100644 --- a/actionview/CHANGELOG.md +++ b/actionview/CHANGELOG.md @@ -1,6 +1,15 @@ ## Rails 6.0.0.beta3 (March 11, 2019) ## -* No changes. +* Only accept formats from registered mime types + + A lack of filtering on mime types could allow an a attacker to read + arbitrary files on the target server or to perform a denial of service + attack. + + Fixes CVE-2019-5418 + Fixes CVE-2019-5419 + + *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson* ## Rails 6.0.0.beta2 (February 25, 2019) ## diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index 226b949b34..754f11212c 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -4,7 +4,17 @@ ## Rails 6.0.0.beta3 (March 11, 2019) ## -* No changes. +* Generate random development secrets + + A random development secret is now generated to tmp/development_secret.txt + + This avoids an issue where development mode servers were vulnerable to + remote code execution. + + Fixes CVE-2019-5420 + + *Eileen M. Uchitelle*, *Aaron Patterson*, *John Hawthorn* + ## Rails 6.0.0.beta2 (February 25, 2019) ## |