Update dependency devise to v4 [SECURITY]#17

Open

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/rubygems-devise-vulnerability

Contributor

renovate Bot commented Sep 25, 2022 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
devise (changelog)	`3.5.2` → `4.7.1`

GitHub Vulnerability Alerts

CVE-2019-5421

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

Severity

Medium

CVE-2019-16109

An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2015-8314

Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Release Notes

heartcombo/devise (devise)

`v4.7.1`

`v4.7.0`

`v4.6.2`

`v4.6.1`

`v4.6.0`

`v4.5.0`

`v4.4.3`

`v4.4.2`

`v4.4.1`

`v4.4.0`

`v4.3.0`

`v4.2.1`

`v4.2.0`

`v4.1.1`

`v4.1.0`

breaking changes
- Drop support to Ruby < 2.7
- Drop support to Rails < 7.0
- Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803
- Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803
- Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803
- Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803
- Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598
- Remove deprecated Devise.activerecord51? method.
- Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.
  
  This is potentially a breaking change because Devise previously used the following order to find a secret key:
```
app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base
```
  Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid.
  #5645
- Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515
- Change <br> tags separating form elements to wrapping them in <p> tags #5494
- Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).
  
  If you are using an older version of Turbo and the default devise template, you'll need to copy it over to your app and change that back to [data-turbo-cache=false].
enhancements
- Add Rails 8 support.
  - Routes are lazy-loaded by default in test and development environments now so Devise loads them before Devise.mappings call. #5728
- New apps using Rack 3.1+ will be generated using config.responder.error_status = :unprocessable_content, since :unprocessable_entity has been deprecated by Rack.
  
  Latest versions of Rails transparently convert :unprocessable_entity -> :unprocessable_content, and Devise will use that in the failure app to avoid Rack deprecation warnings for apps that are configured with :unprocessable_entity. They can also simply change their error_status to :unprocessable_content in latest Rack versions to avoid the warning.
- Add Ruby 3.4 and 4.0 support.
- Reenable Mongoid test suite across all Rails 7+ versions, to ensure we continue supporting it. Changes to dirty tracking to support Mongoid 8.0+. #5568
- Password length validator is changed from
```
validates_length_of :password, within: password_length, allow_blank: true`
```
  to
```
validates_length_of :password, minimum: proc { password_length.min }, maximum: proc { password_length.max }, allow_blank: true
```
  so it's possible to override password_length at runtime. #5734
bug fixes
- Make Devise work without ActionMailer when Zeitwerk autoloader is used. #5731
- Handle defaults :from and :reply_to as procs correctly by delegating to Rails #5595
- Use OmniAuth.config.allowed_request_methods as routing verbs for the auth path #5508
- Handle on and ON as true values to check params #5514
- Fix passing format option to devise_for #5732
- Use ActiveRecord::SecurityUtils.secure_compare in Devise.secure_compare to match two empty strings correctly. #4829
- Respond with 401 Unauthorized for non-navigational requests to destroy the session when there is no authenticated resource. #4878
- Fix incorrect grammar of invalid authentication message with capitalized attributes, e.g.: "Invalid Email or password" => "Invalid email or password". (originally introduced by #4014, released on v4.1.0) #4834

Please check 4-stable
for previous changes.

`v4.0.3`

`v4.0.2`

`v4.0.1`

`v4.0.0`

`v3.5.10`

`v3.5.9`

`v3.5.8`

`v3.5.7`

`v3.5.6`

`v3.5.5`

`v3.5.4`

`v3.5.3`

bug fixes
- Fix password reset for records where confirmation_required? is disabled and
  confirmation_sent_at is nil. (by @andygeers)
- Allow resources with no email field to be recoverable (and do not clear the
  reset password token if the model was already persisted). (by @seddy, @stanhu)
enhancements
- Upon setting Devise.send_password_change_notification = true a user will receive notification when their password has been changed.

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot force-pushed the renovate/rubygems-devise-vulnerability branch from 3b74662 to 5cf83f2 Compare

November 20, 2022 08:34


          Update dependency devise to v4 [SECURITY]

90e58d2

renovate Bot force-pushed the renovate/rubygems-devise-vulnerability branch from 5cf83f2 to 90e58d2 Compare

March 16, 2023 17:52

Contributor Author

renovate Bot commented Apr 3, 2023 •

edited

Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

Unknown switches '--patch, --strict'

renovate Bot changed the title ~~Update dependency devise to v4 [SECURITY]~~ Update dependency devise to v3.5.4 [SECURITY]

Contributor Author

renovate Bot commented May 23, 2024 •

edited

Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

Fetching source index from https://rubygems.org/
Retrying fetcher due to error (2/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (3/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (4/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Could not fetch specs from https://rubygems.org/

renovate Bot changed the title ~~Update dependency devise to v3.5.4 [SECURITY]~~ Update dependency devise to v4 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet