Update Rails from 5.1.3 to 5.1.6.1

Description

Broken Access Control vulnerability in Active Job
There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.

Patched versions: >= 4.2.11, < 5.0.0; >= 5.0.7.1, < 5.1.0; >= 5.1.6.1, < 5.2.0; >= 5.2.1.1
Unaffected versions: < 4.2.0

How to test: It's Rails, which is everything, but it's a patch version bump. A quick sanity check on posting and browsing should be enough.

Activity

Show:
ticking instant
December 29, 2018, 1:27 AM

It looks like it might also be broken on subcollection listings (e.g. https://test.archiveofourown.org/collections/yuletide/collections) and work collection lists (e.g. https://test.archiveofourown.org/works/1068646/collections). Might have something to do with Collection.includes(:owners).

redsummernight
December 29, 2018, 1:45 AM

It's the bullet gem, enabled only in development and staging, but not on test, otherwise the test suite would have caught the issue.

https://github.com/flyerhzm/bullet/pull/388

bullet should be 5.7.3 or later.

Sarken
December 29, 2018, 10:06 AM

Posted a multi-chapter co-authored restricted work with comment moderation. It showed up in listings, wasn't visible to logged out users, and indeed had comments moderated (and comment notifications came through). It could be kudosed. Then I deleted it and got a copy of it that looked fine.

I also changed collection settings and approved/rejected collection items and invitations about a million times and that all went fine.

Lady Oscar
December 30, 2018, 4:17 AM

Have tried various browsing, searching, etc. and nothing is obviously broken

DeployedToBeta

Assignee

redsummernight

Reporter

redsummernight

Roadmap

None

Priority

Medium

Affects versions

Fix versions

Components

AutomatedTests
Gems

Difficulty

Medium

Milestone

Internal 0.9
Configure