redis-store v1.4.0 Release Notes
Release Date: 2017-08-25 // over 6 years ago-
🔧 Due to concerns over a possible vulnerability (should someone obtain write access to the Redis database the application is using) related to marshalling in #289 , we've replaced the
Marshalling
feature withSerialization
, allowing the user to specify their own serializer responding to the.dump
and.load
methods. This is similar to how Dalli works.🚀 Using an alternative serializer like
YAML
orJSON
means if your Redis server becomes compromised in any way, the compromise cannot affect your running app. However, not all objects serialize cleanly to YAML and/or JSON. In order to achieve backwards compatibility, we have suppliedMarshal
as the default serializer object, and released a minor version of this gem. All recent versions of redis-store gems (likeredis-activesupport
andredis-actionpack
) that depend on this gem allow forredis-store
up to but not including 2.0.0, so to get this version you can run:bundle update redis-store
A CVE has been filed, CVE-2017-1000248, so that this issue is easier to refer to.