Rails 4.2.x

NES Release Notes

4.2.11.38

Notes

  • This is the initial release of the NES Rails 4.2.x series. It also includes the release of NES for Rack v1.6.13.17.

Bug Fixes

  • CVE-2023-28362 (actionpack) – Fixed a possible cross-site scripting (XSS) vulnerability via user-supplied values in redirect_to.
  • CVE-2021-22904 (actionpack) – Fixed a possible denial-of-service (DoS) vulnerability in Action Controller token authentication.
  • CVE-2023-22795 (actionpack) – Fixed a ReDoS-based DoS vulnerability in Action Dispatch.
  • CVE-2021-22885 (actionpack) – Fixed an information disclosure and unintended method execution vulnerability in Action Pack.
  • CVE-2023-22792 (actionpack) – Fixed a ReDoS-based DoS vulnerability in Action Dispatch.
  • CVE-2024-47887 (actionpack) – Fixed a possible ReDoS vulnerability in HTTP token authentication in Action Controller.
  • CVE-2024-41128 (actionpack) – Fixed a possible ReDoS vulnerability in query parameter filtering in Action Dispatch.
  • CVE-2022-32224 (activerecord) – Fixed a remote code execution (RCE) vulnerability with serialized columns in Active Record.
  • CVE-2022-44566 (activerecord) – Fixed a denial-of-service (DoS) vulnerability in Active Record's PostgreSQL adapter.
  • CVE-2023-22796 (activesupport) – Fixed a ReDoS-based DoS vulnerability in Active Support’s underscore.
  • CVE-2023-28120 (activesupport) – Fixed a possible XSS security vulnerability in SafeBuffer#bytesplice (not originally affected but patched).
  • CVE-2020-5267 (actionview) – Fixed a cross-site scripting (XSS) vulnerability in Action View.
  • CVE-2019-5418 (actionview) – Fixed a path traversal vulnerability in Action View.
  • CVE-2020-15169 (actionview) – Fixed an XSS vulnerability in Action View.
  • CVE-2022-27777 (actionview) – Fixed an XSS vulnerability in Action View tag helpers.
  • CVE-2020-8163 (actionview) – Fixed a remote code execution vulnerability via user-provided local names in Action View.
  • CVE-2019-5419 (actionview) – Fixed a denial-of-service vulnerability in Action View.
  • CVE-2024-25126 (rack) – Fixed a vulnerability in Rack related to ReDoS in content type parsing.
  • CVE-2023-27530 (rack) – Fixed a possible DoS vulnerability in Rack’s multipart MIME parsing.
  • CVE-2024-26146 (rack) – Fixed a possible denial-of-service vulnerability due to Rack header parsing.
  • CVE-2020-8161 (rack) – Fixed a directory traversal vulnerability in Rack::Directory.
  • CVE-2022-44570 (rack) – Fixed a denial-of-service vulnerability caused by header parsing in Rack.
  • CVE-2022-30122 (rack) – Fixed a denial-of-service vulnerability in Rack multipart parsing.
  • CVE-2020-8184 (rack) – Fixed an issue in Rack allowing percent-encoded cookies to overwrite existing prefixed cookie names.
  • CVE-2022-30123 (rack) – Fixed a possible shell escape sequence injection vulnerability in Rack.
  • CVE-2024-26141 (rack) – Fixed a possible DoS vulnerability with the Range header in Rack.
  • CVE-2024-47889 (actionmailer) – Fixed a possible ReDoS vulnerability in block_format in Action Mailer.
  • CVE-2024-26146 (rack) - Fixed Rack Header Parsing leads to Possible Denial of Service Vulnerability
Rails 3.2.x
NES Release Notes
Previous Article
Rails 5.2.x
NES Release Notes
Next Article