Update vulnerable gems

The vulnerability message is below. In order to upgrade activejob, I had to upgrade Rails to version 5.1.6.1, which touched quite a few other gems. Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: rack Version: 2.0.3 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
hotline-webring · Dec 12, 2018 · 873ba5b · 873ba5b
1 parent 0d72cd0
commit 873ba5b
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 53 deletions.
diff --git a/Gemfile b/Gemfile
@@ -12,7 +12,7 @@ gem "normalize-rails", "~> 3.0.0"
 gem "pg"
 gem "puma"
 gem "rack-canonical-host"
-gem "rails", ">= 5.1.4"
+gem "rails", "~> 5.1.6"
 gem "sass-rails"
 gem "simple_form"
 gem "title"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,41 +1,41 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.1.4)
-      actionpack (= 5.1.4)
+    actioncable (5.1.6.1)
+      actionpack (= 5.1.6.1)
       nio4r (~> 2.0)
       websocket-driver (~> 0.6.1)
-    actionmailer (5.1.4)
-      actionpack (= 5.1.4)
-      actionview (= 5.1.4)
-      activejob (= 5.1.4)
+    actionmailer (5.1.6.1)
+      actionpack (= 5.1.6.1)
+      actionview (= 5.1.6.1)
+      activejob (= 5.1.6.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.1.4)
-      actionview (= 5.1.4)
-      activesupport (= 5.1.4)
+    actionpack (5.1.6.1)
+      actionview (= 5.1.6.1)
+      activesupport (= 5.1.6.1)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.1.4)
-      activesupport (= 5.1.4)
+    actionview (5.1.6.1)
+      activesupport (= 5.1.6.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.1.4)
-      activesupport (= 5.1.4)
+    activejob (5.1.6.1)
+      activesupport (= 5.1.6.1)
       globalid (>= 0.3.6)
-    activemodel (5.1.4)
-      activesupport (= 5.1.4)
-    activerecord (5.1.4)
-      activemodel (= 5.1.4)
-      activesupport (= 5.1.4)
+    activemodel (5.1.6.1)
+      activesupport (= 5.1.6.1)
+    activerecord (5.1.6.1)
+      activemodel (= 5.1.6.1)
+      activesupport (= 5.1.6.1)
       arel (~> 8.0)
-    activesupport (5.1.4)
+    activesupport (5.1.6.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
+      i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     addressable (2.4.0)
@@ -58,10 +58,10 @@ GEM
       rack-test (>= 0.5.4)
       xpath (~> 2.0)
     coderay (1.1.1)
-    concurrent-ruby (1.0.5)
+    concurrent-ruby (1.1.3)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
-    crass (1.0.3)
+    crass (1.0.4)
     database_cleaner (1.5.3)
     debug_inspector (0.0.2)
     diff-lcs (1.2.5)
@@ -70,7 +70,7 @@ GEM
     dotenv-rails (2.2.1)
       dotenv (= 2.2.1)
       railties (>= 3.2, < 5.2)
-    erubi (1.7.0)
+    erubi (1.7.1)
     execjs (2.7.0)
     factory_girl (4.7.0)
       activesupport (>= 3.0.0)
@@ -86,7 +86,7 @@ GEM
       activesupport (>= 4.2.0)
     hashdiff (0.3.0)
     high_voltage (3.0.0)
-    i18n (0.9.1)
+    i18n (1.2.0)
       concurrent-ruby (~> 1.0)
     jquery-rails (4.2.1)
       rails-dom-testing (>= 1, < 3)
@@ -95,23 +95,23 @@ GEM
     json (2.0.2)
     launchy (2.4.3)
       addressable (~> 2.3)
-    loofah (2.1.1)
+    loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.7.0)
+    mail (2.7.1)
       mini_mime (>= 0.1.1)
     method_source (0.8.2)
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
-    mini_mime (1.0.0)
+    mini_mime (1.0.1)
     mini_portile2 (2.3.0)
-    minitest (5.11.0)
+    minitest (5.11.3)
     neat (1.7.4)
       bourbon (>= 4.0)
       sass (>= 3.3)
-    nio4r (2.2.0)
-    nokogiri (1.8.1)
+    nio4r (2.3.1)
+    nokogiri (1.8.5)
       mini_portile2 (~> 2.3.0)
     normalize-rails (3.0.3)
     pg (0.19.0)
@@ -122,38 +122,38 @@ GEM
     pry-rails (0.3.4)
       pry (>= 0.9.10)
     puma (3.6.0)
-    rack (2.0.3)
+    rack (2.0.6)
     rack-canonical-host (0.2.2)
       addressable (> 0, < 3)
       rack (>= 1.0.0, < 3)
-    rack-test (0.8.2)
+    rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rack-timeout (0.4.2)
-    rails (5.1.4)
-      actioncable (= 5.1.4)
-      actionmailer (= 5.1.4)
-      actionpack (= 5.1.4)
-      actionview (= 5.1.4)
-      activejob (= 5.1.4)
-      activemodel (= 5.1.4)
-      activerecord (= 5.1.4)
-      activesupport (= 5.1.4)
+    rails (5.1.6.1)
+      actioncable (= 5.1.6.1)
+      actionmailer (= 5.1.6.1)
+      actionpack (= 5.1.6.1)
+      actionview (= 5.1.6.1)
+      activejob (= 5.1.6.1)
+      activemodel (= 5.1.6.1)
+      activerecord (= 5.1.6.1)
+      activesupport (= 5.1.6.1)
       bundler (>= 1.3.0)
-      railties (= 5.1.4)
+      railties (= 5.1.6.1)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
     rails_stdout_logging (0.0.5)
-    railties (5.1.4)
-      actionpack (= 5.1.4)
-      activesupport (= 5.1.4)
+    railties (5.1.6.1)
+      actionpack (= 5.1.6.1)
+      activesupport (= 5.1.6.1)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (12.3.0)
+    rake (12.3.2)
     rspec-core (3.5.3)
       rspec-support (~> 3.5.0)
     rspec-expectations (3.5.0)
@@ -196,21 +196,21 @@ GEM
     spring (1.7.2)
     spring-commands-rspec (1.0.4)
       spring (>= 0.9.1)
-    sprockets (3.7.1)
+    sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.1)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    thor (0.20.0)
+    thor (0.20.3)
     thread_safe (0.3.6)
     tilt (2.0.5)
     timecop (0.8.1)
     title (0.0.7)
       i18n
       rails (>= 3.1)
-    tzinfo (1.2.4)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
     uglifier (3.0.2)
       execjs (>= 0.3.0, < 3)
@@ -252,7 +252,7 @@ DEPENDENCIES
   puma
   rack-canonical-host
   rack-timeout
-  rails (>= 5.1.4)
+  rails (~> 5.1.6)
   rails_stdout_logging
   rspec-rails (~> 3.5.2)
   rspec_junit_formatter