Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a
time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts
within the Devise::Models::Lockable class not being concurrency safe.

4.6.1 (from changelog)

• bug fixes
  • Check if root_path is defined with #respond_to? instead of #present (by @tegon)

4.6.0 (from changelog)

• enhancements

  • Allow to skip email and password change notifications (by @iorme1)
  • Include the use of nil for allow_unconfirmed_access_for in the docs (by @joaumg)
  • Ignore useless files into the .gem file (by @huacnlee)
  • Explain the code that prevents enumeration attacks inside Devise::Strategies::DatabaseAuthenticatable (by @tegon)
  • Refactor the devise_error_messages! helper to render a partial (by @prograhamer)
  • Add an option (Devise.sign_in_after_change_password) to not automatically sign in a user after changing a password (by @knjko)

• bug fixes

  • Fix missing comma in Simple Form generator (by @colinross)
  • Fix error with migration generator in Rails 6 (by @oystersauce8)
  • Set encrypted_password to nil when password is set to nil (by @sivagollapalli)
  • Consider whether the request supports flash messages inside Devise::Controllers::Helpers#is_flashing_format? (by @colinross)
  • Fix typo inside Devise::Generators::ControllersGenerator (by @kopylovvlad)
  • Sanitize parameters inside Devise::Models::Authenticatable#find_or_initialize_with_errors (by @rlue)
  • #after_database_authentication callback was not called after authentication on password reset (by @kanmaniselvan)
  • Fix corner case when #confirmation_period_valid? was called at the same second as confirmation_sent_at was set. Mostly true for date types that only have second precisions. (by @stanhu)
  • Fix unclosed li tag in error_messages partial (by @mracos)
  • Fix Routes issue when devise engine is mounted in another engine on Rails versions lower than 5.1 (by @a-barbieri)
  • Make #increment_failed_attempts concurrency safe (by @tegon)
  • Apply Test Helper fix to Rails 6.0 as well as 5.x (by @matthewrudy)

• deprecations

  • The second argument of DatabaseAuthenticatable's #update_with_password and #update_without_password is deprecated and will be removed in the next major version. It was added to support a feature deprecated in Rails 4, so you can safely remove it from your code. (by @ihatov08)
  • The DeviseHelper.devise_error_messages! is deprecated and will be removed in the next major version. Use the devise/shared/error_messages partial instead. (by @mracos)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 57 commits:

• Prepare for `4.6.1` release
• Update CHANGELOG.md [ci skip]
• Check if `root_path` is defined with `#respond_to?` instead of `#present` (#5022)
• Prepare for `4.6.0` release
• Update CHANGELOG.md [ci skip]
• Merge pull request #5018 from plataformatec/frg-fix-webrat-warning
• Fix webrat warnings
• Merge pull request #5014 from plataformatec/frg-fix-test-setup
• Fix bin/test to use Rails::TestUnit
• Merge pull request #5011 from plataformatec/frg-fix-sqlite-warning
• Fix SQLite3 warning
• Update README to help run tests [ci skip] (#5012)
• removing white space in devise generator new.html.erb (#5010)
• Update CHANGELOG.md [ci skip]
• Refactor fix #4127
• FIX plataformatec/devise#4127 (#4700)
• Add Rails 6 to CI (#5009)
• Apply Test Helper fix to Rails 6.0 as well as 5.x (#5002)
• Merge pull request #5005 from plataformatec/frg-fix-travis-build
• Fix travis build
• Fixed broken README link in changelog [ci skip] (#4999)
• Merge pull request #4998 from Atul9/update-license
• Update copyright notice to 2019 [ci skip]
• Make `#increment_failed_attempts` concurrency safe (#4996)
• Add an option to not automatically sign in a user after changing a password (#4569)
• Removing extra characters (#4991)
• Removed extra characters (#4988)
• Don't run `gem update --system` and `gem install bundler` on CI
• Update `CHANGELOG.md` [ci skip]
• Merge pull request #4989 from plataformatec/mf-fix-unclosed-tag-error-messages-partial
• Add a deprecation warn for `DeviseHelper.devise_error_messages!`
• Fix unclosed `li` tag in `error_messages` partial
• Refactor the devise_error_messages! helper to render a partial (#4616)
• Update CHANGELOG.md [ci skip]
• Fix corner case when confirmation_sent_at is equal to 0.days.ago (#4529)
• Update `CHANGELOG.md` [ci skip]
• Add deprication waring if use options argument at DatabaseAuthenticatable#update_with_password,#update_without_password (#4935)
• Fix typo [ci skip]
• Explain the code that prevents enumeration attacks
• Ignore useless files into the gem file. (#4955)
• Issue 4895: Add `after_database_authentication` callback after sign_in immediately after password update (#4916)
• Add missing specs for `#find_or_initialize_with_errors`
• [bugfix] [refactoring] Sanitize parameters in find_or_initialize_with_errors (#4797)
• fixed description for Devise::Generators::ControllersGenerator (#4975)
• Add more tests (#4970)
• Only flash if the request object that is loaded supports it (#4950)
• [#4245] Allowing password to nil (#4261)
• chore(docs): allow_unconfirmed_access_for = nil (#2275) (#4964)
• Merge pull request #4961 from HarlemSquirrel/issue-template-20181028
• Merge pull request #4960 from HarlemSquirrel/contributing-20181028
• Fix Issue template grammar
• Fix CONTRIBUTING.md typo
• Issue #4941 , handle error 'Please specify the Rails release the migration was written for' (#4942)
• Updated year in MIT-LICENSE (#4948)
• issue 4526 adds skip email and password change notifications methods (#4824)
• Merge pull request #4938 from colinross/issue-#4931-missing-comma
• Missing comma in form input

2.4.1 (from changelog)

• Add support for Rails 6 beta

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 15 commits:

• Prepare for `2.4.1` release
• Merge pull request #201 from plataformatec/revert-197-rails_6_undefined_local_variable_or_method_mimes_for_respond_to
• Revert "Allow rails 6"
• Merge pull request #197 from oystersauce8/rails_6_undefined_local_variable_or_method_mimes_for_respond_to
• Merge pull request #199 from jfeaver/patch-1
• use "these" for plural noun phrase
• Allow rails 6
• Merge pull request #188 from Fudoshiki/master
• change travis matrix
• change right border
• Allow rails 6
• Merge pull request #185 from uuushiro/master
• fix typo
• Merge pull request #183 from amatsuda/https
• GitHub is HTTPS by default

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)