Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency doorkeeper to v5.6.6 [security] - autoclosed #378

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency doorkeeper to v5.6.6 [security] - autoclosed #378

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 12, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
doorkeeper (changelog) 5.5.4 -> 5.6.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-34246

OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252#section-8.6

the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured. This includes the case where the user has previously approved an authorization request for a given client id

But Doorkeeper automatically processes authorization requests without user consent for public clients that have been previously approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured.

Issue https://github.com/doorkeeper-gem/doorkeeper/issues/1589

Fix https://github.com/doorkeeper-gem/doorkeeper/pull/1646

Release Notes

doorkeeper-gem/doorkeeper (doorkeeper)

v5.6.6

Compare Source

  • [#​1644] Update HTTP headers.
  • [#​1646] Block public clients automatic authorization skip.
  • [#​1648] Add custom token attributes to Refresh Token Request.
  • [#​1649] Fixed custom_access_token_attributes related errors.

v5.6.5

Compare Source

  • [#​1602] Allow custom data to be stored inside access grants/tokens.
  • [#​1634] Code refactoring for custom token attributes.
  • [#​1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.

v5.6.4

Compare Source

  • [#​1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.

v5.6.3

Compare Source

  • [#​1622] Drop support for Rubies 2.5 and 2.6
  • [#​1605] Fix URI validation for Ruby 3.2+.
  • [#​1625] Exclude endless access tokens from StaleRecordsCleaner.
  • [#​1626] Remove deprecated active_record_options config option.
  • [#​1631] Fix regression with redirect behavior after token lookup optimizations (redirect to app URI when found).
  • [#​1630] Special case unique index creation for refresh_token on SQL Server.
  • [#​1627] Lazy evaluate Doorkeeper config when loading files and executing initializers.

v5.6.2

Compare Source

  • [#​1604] Fix fetching of the application when custom application_class defined.

v5.6.1

Compare Source

  • [#​1593] Add support for Trilogy ActiveRecord adapter.
  • [#​1597] Add optional support to use the url path for the native authorization code flow. Ports forward [#​1143] from 4.4.3
  • [#​1599] Remove unnecessarily re-fetch of application object when creating an access token.

v5.6.0

Compare Source

  • [#​1581] Consider token_type_hint when searching for access token in TokensController to avoid extra database calls.

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jun 12, 2023
@renovate renovate bot changed the title chore(deps): update dependency doorkeeper to v5.6.6 [security] chore(deps): update dependency doorkeeper to v5.6.6 [security] - autoclosed Feb 24, 2024
@renovate renovate bot closed this Feb 24, 2024
@renovate renovate bot deleted the renovate/rubygems-doorkeeper-vulnerability branch February 24, 2024 03:12
@renovate renovate bot changed the title chore(deps): update dependency doorkeeper to v5.6.6 [security] - autoclosed chore(deps): update dependency doorkeeper to v5.6.6 [security] Feb 24, 2024
@renovate renovate bot reopened this Feb 24, 2024
@renovate renovate bot restored the renovate/rubygems-doorkeeper-vulnerability branch February 24, 2024 08:09
@renovate renovate bot force-pushed the renovate/rubygems-doorkeeper-vulnerability branch from 5824835 to baa4111 Compare February 24, 2024 08:09
@renovate renovate bot force-pushed the renovate/rubygems-doorkeeper-vulnerability branch from baa4111 to 851a43e Compare March 24, 2024 15:20
@renovate renovate bot force-pushed the renovate/rubygems-doorkeeper-vulnerability branch from 851a43e to b6fc32d Compare May 15, 2024 17:26
@renovate renovate bot changed the title chore(deps): update dependency doorkeeper to v5.6.6 [security] chore(deps): update dependency doorkeeper to v5.6.6 [security] - autoclosed Aug 6, 2024
@renovate renovate bot closed this Aug 6, 2024
@renovate renovate bot deleted the renovate/rubygems-doorkeeper-vulnerability branch August 6, 2024 02:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants