Bug #16469
closed
- Status changed from New to In Progress
I believe we don't need to do anything at this time, because:
- CVE-2020-8164 (Possible Strong Parameters Bypass in ActionPack): I haven't found any occurrence of code using
each, each_pair or each_value on params.
- CVE-2020-8166 (Ability to forge per-form CSRF tokens in Rails): Is a low severity issue and no workarounds are offered, just to upgrade whenever possible.
- CVE-2020-8165 (Unintended unmarshalling in ActiveSupport): Is about MemCacheStore and RedisCacheStore, which we don't use.
- Status changed from In Progress to Closed
We'll be updating rails to at least 5.2 soon.
Also available in: Atom
PDF
Updated by 
Updated by