Hi everyone!
Rails Versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1 have been released!
These are security patches addressing 4 possible ReDoS (Regular expression Denial of Service) attacks. All of these only affect Ruby versions below 3.2 so we urge users on older versions of Ruby to upgrade to these new Rails versions at their earliest convenience.
Additionally we strongly recommend users upgrade to Ruby 3.2 or greater, to take advantage of the improved ReDoS mitigations in newer versions.
Ruby 3.1 is approaching it’s end of life for security support from Ruby upstream and is the only maintained version of Ruby still vulnerable to these attacks. Going forward we plan to continue to address these but will do so in our public issue tracker like normal performance bugs.
Rails 6.1 had an anticipated end of maintenance earlier this month, but as we transition to our new maintenance policy we’ve cut an additional release: 6.1.7.9.
Rails 8.0.0.beta1 and newer are unaffected as they require Ruby 3.2
Here is a list of security issues that these releases address:
plain_text_for_blockquote_node
in Action Textblock_format
in Action MailerCheers!