Ruby/activerecord/5.2.0.rc1
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
https://rubygems.org/gems/activerecord
MIT
3 Security Vulnerabilities
Active Record RCE bug with Serialized Columns
Published date: 2022-07-12T19:39:47Z
CVE: CVE-2022-32224
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-32224
- https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a
- https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
- https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-32224.yml
- https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.
There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.
Affected versions:
["5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.15.6", "1.15.5", "1.15.4", "1.15.3", "1.15.2", "1.15.1", "1.15.0", "1.14.4", "1.14.3", "1.14.2", "1.14.1", "1.14.0", "1.13.2", "1.13.1", "1.13.0", "1.12.2", "1.12.1", "1.11.1", "1.11.0", "1.10.1", "1.10.0", "1.9.1", "1.9.0", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.0", "1.2.0", "1.1.0", "1.0.0", "5.2.4.5", "5.2.5", "5.2.6", "5.2.4.6", "5.2.6.2", "5.2.6.1", "5.2.6.3", "5.2.7", "5.2.7.1", "5.2.8", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.3.5", "6.0.3.6", "6.0.3.7", "6.0.4", "6.0.4.1", "6.0.4.3", "6.0.4.2", "6.0.4.4", "6.0.4.6", "6.0.4.5", "6.0.4.7", "6.0.4.8", "6.0.5", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.1.3", "6.1.3.1", "6.1.3.2", "6.1.4", "6.1.4.1", "6.1.4.3", "6.1.4.2", "6.1.4.4", "6.1.4.6", "6.1.4.5", "6.1.4.7", "6.1.5", "6.1.5.1", "6.1.6", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "7.0.2.3", "7.0.2.4", "7.0.3"]
Secure versions:
[7.0.4.1, 6.1.7.1, 7.0.4.2, 6.1.7.2, 7.0.4.3, 6.1.7.3, 7.0.5, 7.0.5.1, 6.1.7.4, 7.0.6, 7.0.7, 7.0.7.2, 7.0.7.1, 6.1.7.6, 6.1.7.5, 7.0.8, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.3.2, 7.1.3.1, 7.0.8.1, 6.1.7.7, 7.1.3.3, 7.0.8.2, 7.0.8.3, 7.2.0.beta1, 7.2.0.beta2, 7.1.3.4, 7.0.8.4, 6.1.7.8, 7.2.0.beta3, 7.2.0.rc1, 7.2.0, 7.2.1, 7.1.4, 8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 6.1.7.9, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 6.1.7.10, 8.0.0.rc2, 7.2.2, 7.1.5, 8.0.0]
Recommendation:
Update to version 8.0.0.
Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter
Published date: 2023-01-18T18:21:12Z
CVE: CVE-2022-44566
Links:
- https://github.com/rails/rails/releases/tag/v7.0.4.1
- https://github.com/advisories/GHSA-579w-22j4-4749
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-44566.yml
- https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
- https://nvd.nist.gov/vuln/detail/CVE-2022-44566
- https://code.jeremyevans.net/2022-11-01-forcing-sequential-scans-on-postgresql.html
- https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119
- https://github.com/rails/rails/commit/4f44aa9d514e701ada92b5cf08beccf566eeaebf
- https://github.com/rails/rails/commit/82bcdc011e2ff674e7dd8fd8cee3a831c908d29b
- https://github.com/rails/rails/releases/tag/v6.1.7.1
- https://makandracards.com/railslts/508019-rails-5-2-lts-changelog#section-jan-20th-2023-rails-version-5-2-8-15
There is a potential denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter.
This has been assigned the CVE identifier CVE-2022-44566.
Versions Affected: All. Not affected: None. Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact: In ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service. Releases
The fixed releases are available at the normal locations. Workarounds
Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats. Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy 1 regarding security issues. They are in git-am format and consist of a single changeset.
6-1-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 6.1 series
7-0-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 7.0 series
Affected versions:
["6.1.0.rc1", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.15.6", "1.15.5", "1.15.4", "1.15.3", "1.15.2", "1.15.1", "1.15.0", "1.14.4", "1.14.3", "1.14.2", "1.14.1", "1.14.0", "1.13.2", "1.13.1", "1.13.0", "1.12.2", "1.12.1", "1.11.1", "1.11.0", "1.10.1", "1.10.0", "1.9.1", "1.9.0", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.0", "1.2.0", "1.1.0", "1.0.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.1.3.1", "6.0.3.6", "5.2.5", "6.1.3.2", "6.0.3.7", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.1.4.1", "6.0.4.1", "6.1.4.3", "6.1.4.2", "6.0.4.3", "6.0.4.2", "6.1.4.4", "6.0.4.4", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "5.2.6.2", "5.2.6.1", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "6.0.5", "5.2.8", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.1.7", "6.0.6", "6.0.6.1", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "7.0.2.3", "7.0.2.4", "7.0.3", "7.0.3.1", "7.0.4"]
Secure versions:
[7.0.4.1, 6.1.7.1, 7.0.4.2, 6.1.7.2, 7.0.4.3, 6.1.7.3, 7.0.5, 7.0.5.1, 6.1.7.4, 7.0.6, 7.0.7, 7.0.7.2, 7.0.7.1, 6.1.7.6, 6.1.7.5, 7.0.8, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.3.2, 7.1.3.1, 7.0.8.1, 6.1.7.7, 7.1.3.3, 7.0.8.2, 7.0.8.3, 7.2.0.beta1, 7.2.0.beta2, 7.1.3.4, 7.0.8.4, 6.1.7.8, 7.2.0.beta3, 7.2.0.rc1, 7.2.0, 7.2.1, 7.1.4, 8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 6.1.7.9, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 6.1.7.10, 8.0.0.rc2, 7.2.2, 7.1.5, 8.0.0]
Recommendation:
Update to version 8.0.0.
Active Record subject to Regular Expression Denial-of-Service (ReDoS)
Published date: 2021-03-02T03:44:14Z
CVE: CVE-2021-22880
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22880
- https://github.com/advisories/GHSA-8hc4-xxm3-5ppp
- https://hackerone.com/reports/1023899
- https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
- https://rubygems.org/gems/activerecord
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
- https://www.debian.org/security/2021/dsa-4929
- https://security.netapp.com/advisory/ntap-20210805-0009/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml
- https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
Affected versions:
["6.1.0", "6.1.1", "6.1.2", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0"]
Secure versions:
[7.0.4.1, 6.1.7.1, 7.0.4.2, 6.1.7.2, 7.0.4.3, 6.1.7.3, 7.0.5, 7.0.5.1, 6.1.7.4, 7.0.6, 7.0.7, 7.0.7.2, 7.0.7.1, 6.1.7.6, 6.1.7.5, 7.0.8, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.3.2, 7.1.3.1, 7.0.8.1, 6.1.7.7, 7.1.3.3, 7.0.8.2, 7.0.8.3, 7.2.0.beta1, 7.2.0.beta2, 7.1.3.4, 7.0.8.4, 6.1.7.8, 7.2.0.beta3, 7.2.0.rc1, 7.2.0, 7.2.1, 7.1.4, 8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 6.1.7.9, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 6.1.7.10, 8.0.0.rc2, 7.2.2, 7.1.5, 8.0.0]
Recommendation:
Update to version 8.0.0.
489 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 4.0.2 | MIT | 11 | 2013-12-03 - 19:00 | almost 11 years |
| 4.0.1 | MIT | 11 | 2013-11-01 - 19:07 | about 11 years |
| 4.0.1.rc4 | MIT | 11 | 2013-10-30 - 20:48 | about 11 years |
| 4.0.1.rc3 | MIT | 11 | 2013-10-23 - 21:40 | about 11 years |
| 4.0.1.rc2 | MIT | 11 | 2013-10-21 - 21:55 | about 11 years |
| 4.0.1.rc1 | MIT | 11 | 2013-10-17 - 16:45 | about 11 years |
| 4.0.0 | MIT | 11 | 2013-06-25 - 14:31 | over 11 years |
| 4.0.0.rc2 | MIT | 6 | 2013-06-11 - 20:24 | over 11 years |
| 4.0.0.rc1 | MIT | 6 | 2013-04-29 - 15:38 | over 11 years |
| 4.0.0.beta1 | MIT | 6 | 2013-02-26 - 00:05 | over 11 years |
| 3.2.22.5 | MIT | 4 | 2016-09-14 - 21:18 | about 8 years |
| 3.2.22.4 | MIT | 4 | 2016-08-11 - 19:20 | over 8 years |
| 3.2.22.3 | MIT | 4 | 2016-08-11 - 17:33 | over 8 years |
| 3.2.22.2 | MIT | 4 | 2016-02-29 - 19:22 | over 8 years |
| 3.2.22.1 | MIT | 4 | 2016-01-25 - 19:24 | almost 9 years |
| 3.2.22 | MIT | 7 | 2015-06-16 - 18:05 | over 9 years |
| 3.2.21 | MIT | 7 | 2014-11-17 - 15:59 | almost 10 years |
| 3.2.20 | MIT | 7 | 2014-10-30 - 18:36 | about 10 years |
| 3.2.19 | MIT | 7 | 2014-07-02 - 17:01 | over 10 years |
| 3.2.18 | MIT | 8 | 2014-05-06 - 16:15 | over 10 years |
| 3.2.17 | MIT | 8 | 2014-02-18 - 18:54 | over 10 years |
| 3.2.16 | MIT | 8 | 2013-12-03 - 19:00 | almost 11 years |
| 3.2.15 | MIT | 8 | 2013-10-16 - 17:22 | about 11 years |
| 3.2.15.rc3 | MIT | 8 | 2013-10-11 - 21:17 | about 11 years |
| 3.2.15.rc2 | MIT | 8 | 2013-10-04 - 20:48 | about 11 years |
| 3.2.15.rc1 | MIT | 8 | 2013-10-03 - 18:53 | about 11 years |
| 3.2.14 | MIT | 8 | 2013-07-22 - 16:44 | over 11 years |
| 3.2.14.rc2 | MIT | 8 | 2013-07-16 - 16:13 | over 11 years |
| 3.2.14.rc1 | MIT | 8 | 2013-07-13 - 00:25 | over 11 years |
| 3.2.13 | UNKNOWN | 8 | 2013-03-18 - 17:12 | over 11 years |
| 3.2.13.rc2 | UNKNOWN | 10 | 2013-03-06 - 23:06 | over 11 years |
| 3.2.13.rc1 | UNKNOWN | 10 | 2013-02-27 - 20:25 | over 11 years |
| 3.2.12 | UNKNOWN | 10 | 2013-02-11 - 18:16 | almost 12 years |
| 3.2.11 | UNKNOWN | 12 | 2013-01-08 - 20:07 | almost 12 years |
| 3.2.10 | UNKNOWN | 14 | 2013-01-02 - 21:19 | almost 12 years |
| 3.2.9 | UNKNOWN | 17 | 2012-11-12 - 15:21 | about 12 years |
| 3.2.9.rc3 | UNKNOWN | 17 | 2012-11-09 - 18:00 | about 12 years |
| 3.2.9.rc2 | UNKNOWN | 17 | 2012-11-01 - 17:39 | about 12 years |
| 3.2.9.rc1 | UNKNOWN | 17 | 2012-10-29 - 17:06 | about 12 years |
| 3.2.8 | UNKNOWN | 17 | 2012-08-09 - 21:22 | over 12 years |
| 3.2.8.rc2 | UNKNOWN | 17 | 2012-08-03 - 14:28 | over 12 years |
| 3.2.8.rc1 | UNKNOWN | 17 | 2012-08-01 - 20:57 | over 12 years |
| 3.2.7 | UNKNOWN | 17 | 2012-07-26 - 22:07 | over 12 years |
| 3.2.7.rc1 | UNKNOWN | 17 | 2012-07-23 - 21:45 | over 12 years |
| 3.2.6 | UNKNOWN | 17 | 2012-06-12 - 21:25 | over 12 years |
| 3.2.5 | UNKNOWN | 19 | 2012-06-01 - 03:38 | over 12 years |
| 3.2.4 | UNKNOWN | 19 | 2012-05-31 - 18:24 | over 12 years |
| 3.2.4.rc1 | UNKNOWN | 22 | 2012-05-28 - 19:01 | over 12 years |
| 3.2.3 | UNKNOWN | 22 | 2012-03-30 - 22:26 | over 12 years |
| 3.2.3.rc2 | UNKNOWN | 22 | 2012-03-29 - 16:13 | over 12 years |
| 3.2.3.rc1 | UNKNOWN | 22 | 2012-03-27 - 17:10 | over 12 years |
| 3.2.2 | UNKNOWN | 22 | 2012-03-01 - 17:51 | over 12 years |
| 3.2.2.rc1 | UNKNOWN | 22 | 2012-02-22 - 21:38 | over 12 years |
| 3.2.1 | UNKNOWN | 22 | 2012-01-26 - 23:09 | almost 13 years |
| 3.2.0 | UNKNOWN | 22 | 2012-01-20 - 16:46 | almost 13 years |
| 3.2.0.rc2 | UNKNOWN | 16 | 2012-01-04 - 21:05 | almost 13 years |
| 3.2.0.rc1 | UNKNOWN | 16 | 2011-12-20 - 00:40 | almost 13 years |
| 3.1.12 | UNKNOWN | 9 | 2013-03-18 - 17:12 | over 11 years |
| 3.1.11 | UNKNOWN | 10 | 2013-02-11 - 18:16 | almost 12 years |
| 3.1.10 | UNKNOWN | 11 | 2013-01-08 - 20:07 | almost 12 years |
| 3.1.9 | UNKNOWN | 12 | 2013-01-02 - 21:19 | almost 12 years |
| 3.1.8 | UNKNOWN | 13 | 2012-08-09 - 21:19 | over 12 years |
| 3.1.7 | UNKNOWN | 13 | 2012-07-26 - 22:07 | over 12 years |
| 3.1.6 | UNKNOWN | 13 | 2012-06-12 - 21:25 | over 12 years |
| 3.1.5 | UNKNOWN | 14 | 2012-05-31 - 18:24 | over 12 years |
| 3.1.5.rc1 | UNKNOWN | 15 | 2012-05-28 - 19:01 | over 12 years |
| 3.1.4 | UNKNOWN | 15 | 2012-03-01 - 17:51 | over 12 years |
| 3.1.4.rc1 | UNKNOWN | 15 | 2012-02-22 - 21:38 | over 12 years |
| 3.1.3 | UNKNOWN | 15 | 2011-11-20 - 22:51 | almost 13 years |
| 3.1.2 | UNKNOWN | 15 | 2011-11-18 - 01:32 | almost 13 years |
| 3.1.2.rc2 | UNKNOWN | 15 | 2011-11-14 - 15:47 | about 13 years |
| 3.1.2.rc1 | UNKNOWN | 15 | 2011-11-14 - 14:15 | about 13 years |
| 3.1.1 | UNKNOWN | 15 | 2011-10-07 - 15:29 | about 13 years |
| 3.1.1.rc3 | UNKNOWN | 15 | 2011-10-06 - 02:30 | about 13 years |
| 3.1.1.rc2 | UNKNOWN | 15 | 2011-09-29 - 22:16 | about 13 years |
| 3.1.1.rc1 | UNKNOWN | 15 | 2011-09-15 - 00:25 | about 13 years |
| 3.1.0 | UNKNOWN | 15 | 2011-08-31 - 02:17 | about 13 years |
| 3.1.0.rc8 | UNKNOWN | 10 | 2011-08-29 - 03:26 | about 13 years |
| 3.1.0.rc6 | UNKNOWN | 10 | 2011-08-16 - 22:32 | about 13 years |
| 3.1.0.rc5 | UNKNOWN | 10 | 2011-07-25 - 23:04 | over 13 years |
| 3.1.0.rc4 | UNKNOWN | 10 | 2011-06-09 - 22:54 | over 13 years |
| 3.1.0.rc3 | UNKNOWN | 10 | 2011-06-08 - 21:26 | over 13 years |
| 3.1.0.rc2 | UNKNOWN | 10 | 2011-06-08 - 00:15 | over 13 years |
| 3.1.0.rc1 | UNKNOWN | 10 | 2011-05-22 - 02:25 | over 13 years |
| 3.1.0.beta1 | UNKNOWN | 10 | 2011-05-05 - 01:22 | over 13 years |
| 3.0.20 | UNKNOWN | 10 | 2013-01-28 - 21:01 | almost 12 years |
| 3.0.19 | UNKNOWN | 10 | 2013-01-08 - 20:07 | almost 12 years |
| 3.0.18 | UNKNOWN | 11 | 2013-01-02 - 21:19 | almost 12 years |
| 3.0.17 | UNKNOWN | 12 | 2012-08-09 - 21:15 | over 12 years |
| 3.0.16 | UNKNOWN | 12 | 2012-07-26 - 22:07 | over 12 years |
| 3.0.15 | UNKNOWN | 12 | 2012-06-13 - 03:06 | over 12 years |
| 3.0.14 | UNKNOWN | 12 | 2012-06-12 - 21:24 | over 12 years |
| 3.0.13 | UNKNOWN | 13 | 2012-05-31 - 18:24 | over 12 years |
| 3.0.13.rc1 | UNKNOWN | 14 | 2012-05-28 - 19:00 | over 12 years |
| 3.0.12 | UNKNOWN | 14 | 2012-03-01 - 17:51 | over 12 years |
| 3.0.12.rc1 | UNKNOWN | 14 | 2012-02-22 - 21:37 | over 12 years |
| 3.0.11 | UNKNOWN | 14 | 2011-11-18 - 01:22 | almost 13 years |
| 3.0.10 | UNKNOWN | 14 | 2011-08-16 - 22:13 | about 13 years |
| 3.0.10.rc1 | UNKNOWN | 15 | 2011-08-05 - 00:11 | over 13 years |
| 3.0.9 | UNKNOWN | 15 | 2011-06-16 - 10:03 | over 13 years |