redis-store v1.4.0 Release Notes
Release Date: 2017-08-25 // over 6 years ago-
🔧 Due to concerns over a possible vulnerability (should someone obtain write access to the Redis database the application is using) related to marshalling in #289 , we've replaced the
Marshallingfeature withSerialization, allowing the user to specify their own serializer responding to the.dumpand.loadmethods. This is similar to how Dalli works.🚀 Using an alternative serializer like
YAMLorJSONmeans if your Redis server becomes compromised in any way, the compromise cannot affect your running app. However, not all objects serialize cleanly to YAML and/or JSON. In order to achieve backwards compatibility, we have suppliedMarshalas the default serializer object, and released a minor version of this gem. All recent versions of redis-store gems (likeredis-activesupportandredis-actionpack) that depend on this gem allow forredis-storeup to but not including 2.0.0, so to get this version you can run:bundle update redis-storeA CVE has been filed, CVE-2017-1000248, so that this issue is easier to refer to.