Rails 5.2.x

NES Release Notes

5.2.8.26

Notes

  • This is the initial release of the NES Rails 5.2.x series. It also includes the release of NES for Rack v2.2.9.10.

Bug Fixes

  • CVE-2024-47889 (actionmailer) – Fixed a possible ReDoS vulnerability in block_format in Action Mailer.
  • CVE-2023-28362 (actionpack) – Fixed a possible cross-site scripting (XSS) vulnerability via user-supplied values in redirect_to.
  • CVE-2023-22795 (actionpack) – Fixed a ReDoS-based DoS vulnerability in Action Dispatch.
  • CVE-2023-22792 (actionpack) – Fixed a ReDoS-based DoS vulnerability in Action Dispatch.
  • CVE-2024-47887 (actionpack) – Fixed a possible ReDoS vulnerability in HTTP Token authentication in Action Controller.
  • CVE-2024-54133 (actionpack) – Fixed a possible Content Security Policy bypass in Action Dispatch.
  • CVE-2024-41128 (actionpack) – Fixed a possible ReDoS vulnerability in query parameter filtering in Action Dispatch.
  • CVE-2022-32224 (activerecord) – Fixed an Active Record RCE bug with serialized columns.
  • CVE-2022-44566 (activerecord) – Fixed a denial-of-service (DoS) vulnerability in ActiveRecord's PostgreSQL adapter.
  • CVE-2023-38037 (activesupport) – Fixed a potential information disclosure vulnerability in Active Support where locally encrypted files could be exposed.
  • CVE-2023-22796 (activesupport) – Fixed a ReDoS-based DoS vulnerability in Active Support's underscore.
  • CVE-2023-28120 (activesupport) – Fixed a possible XSS security vulnerability in SafeBuffer#bytesplice.
  • CVE-2023-23913 (actionview) – Fixed a DOM-based cross-site scripting (XSS) vulnerability in rails-ujs affecting contenteditable HTML elements.
  • CVE-2024-26144 (activestorage) – Possible sensitive session information leak in Active Storage (Not fixed).
Rails 4.2.x
NES Release Notes
Previous Article
Rails 6.1.x
NES Release Notes
Next Article