Ruby on Rails: Security

Hi folks, This is an update just to let you all know we're retiring this mailing list. Actually

There is a possible escalation to RCE when using YAML serialized columns in Active Record. This

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This

There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned

There is a possible code injection vulnerability in the Active Storage module of Rails. This

## Impact Under certain circumstances response bodies will not be closed, for example a bug in a

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.

# Possible Open Redirect in Host Authorization Middleware There is a possible open redirect

There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. This

There is a possible information disclosure / unintended method execution vulnerability in Action Pack

There is a possible Open Redirect Vulnerability in Action Pack. This vulnerability has been assigned

There is a possible Denial of Service vulnerability in the Mime type parser of Action Dispatch. This

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.

There is a possible DoS vulnerability in the PostgreSQL adapter in Active Record. This vulnerability

There is a possible XSS vulnerability in Action Pack while the application server is in development

There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation

Sorry, I forgot to attach the patch! It's here

Percent-encoded cookies can be used to overwrite existing prefixed cookie names It is possible to

CSRF Vulnerability in rails-ujs There is an vulnerability in rails-ujs that allows attackers to send

Ability to forge per-form CSRF tokens given a global CSRF token It is possible to possible to, given

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

# Possible Strong Parameters Bypass in ActionPack There is a strong parameters bypass vector in

Circumvention of file size limits in ActiveStorage There is a vulnerability in ActiveStorage's S3

Hi, There was an error in the patch so I've attached a new patch. Please apply this patch or

Directory traversal in Rack::Directory There was a possible directory traversal vulnerability in the

Arbitrary file write/potential remote code execution in actionpack_page-caching There is a

There is a possible information disclosure issue in Active Resource. This vulnerability has been