Dependabot - RCE bug with Serialized Columns in Active Record #75

tuxmea · 2022-07-28T11:23:37Z

https://github.com/betadots/hdm/security/dependabot/77

 Dependabot cannot update activerecord to a non-vulnerable version

The latest possible version that can be installed is 7.0.2.4 because of the following conflicting dependencies:

rails (7.0.2.4) requires activerecord (= 7.0.2.4) via actionmailbox (7.0.2.4)
rails (7.0.2.4) requires activerecord (= 7.0.2.4) via actiontext (7.0.2.4)
rails (7.0.2.4) requires activerecord (= 7.0.2.4) via activestorage (7.0.2.4)
rails (7.0.2.4) requires activerecord (= 7.0.2.4)

The earliest fixed version is 7.0.3.1.

The text was updated successfully, but these errors were encountered:

tuxmea · 2022-08-10T14:50:22Z

@oneiros Can we update to 7.0.3.x?

oneiros · 2022-08-10T14:56:45Z

@oneiros Can we update to 7.0.3.x?

Absolutely!

FWIW, hdm (OS) is not vulnerable with regards to the RCE bug. But of course it does not hurt to be on the current version.

rwaffen · 2022-09-06T12:25:54Z

fixed with 9ab0791

tuxmea added the bug Something isn't working label Jul 28, 2022

tuxmea assigned oneiros Aug 10, 2022

rwaffen closed this as completed Sep 6, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependabot - RCE bug with Serialized Columns in Active Record #75

Dependabot - RCE bug with Serialized Columns in Active Record #75

tuxmea commented Jul 28, 2022

tuxmea commented Aug 10, 2022

oneiros commented Aug 10, 2022

rwaffen commented Sep 6, 2022

Dependabot - RCE bug with Serialized Columns in Active Record #75

Dependabot - RCE bug with Serialized Columns in Active Record #75

Comments

tuxmea commented Jul 28, 2022

tuxmea commented Aug 10, 2022

oneiros commented Aug 10, 2022

rwaffen commented Sep 6, 2022