Update dependency devise to v4 [SECURITY]#17

Open

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/rubygems-devise-vulnerability

Contributor

renovate bot commented Sep 25, 2022 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
devise (changelog)	`3.5.2` → `4.7.1`

GitHub Vulnerability Alerts

CVE-2019-5421

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

CVE-2019-16109

An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)

CVE-2015-8314

Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.

Release Notes

heartcombo/devise (devise)

`v4.7.1`

`v4.7.0`

`v4.6.2`

`v4.6.1`

`v4.6.0`

`v4.5.0`

`v4.4.3`

`v4.4.2`

`v4.4.1`

`v4.4.0`

`v4.3.0`

`v4.2.1`

`v4.2.0`

`v4.1.1`

`v4.1.0`

`v4.0.3`

`v4.0.2`

`v4.0.1`

`v4.0.0`

`v3.5.10`

`v3.5.9`

`v3.5.8`

`v3.5.7`

`v3.5.6`

`v3.5.5`

`v3.5.4`

`v3.5.3`

bug fixes
- Fix password reset for records where confirmation_required? is disabled and
  confirmation_sent_at is nil. (by @andygeers)
- Allow resources with no email field to be recoverable (and do not clear the
  reset password token if the model was already persisted). (by @seddy, @stanhu)
enhancements
- Upon setting Devise.send_password_change_notification = true a user will receive notification when their password has been changed.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/rubygems-devise-vulnerability branch from 3b74662 to 5cf83f2 Compare

November 20, 2022 08:34


          Update dependency devise to v4 [SECURITY]

90e58d2

renovate bot force-pushed the renovate/rubygems-devise-vulnerability branch from 5cf83f2 to 90e58d2 Compare

March 16, 2023 17:52

Contributor Author

renovate bot commented Apr 3, 2023 •

edited

Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

Unknown switches '--patch, --strict'

renovate bot changed the title ~~Update dependency devise to v4 [SECURITY]~~ Update dependency devise to v3.5.4 [SECURITY]

Contributor Author

renovate bot commented May 23, 2024 •

edited

Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

Fetching source index from https://rubygems.org/
Retrying fetcher due to error (2/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (3/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (4/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Could not fetch specs from https://rubygems.org/

renovate bot changed the title ~~Update dependency devise to v3.5.4 [SECURITY]~~ Update dependency devise to v4 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet