From 873ba5b5d2a3e4c48cfd6b14017d7ebde1a37b69 Mon Sep 17 00:00:00 2001 From: Gabe Berke-Williams Date: Tue, 11 Dec 2018 21:17:48 -0800 Subject: [PATCH] Update vulnerable gems The vulnerability message is below. In order to upgrade activejob, I had to upgrade Rails to version 5.1.6.1, which touched quite a few other gems. Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Unknown URL: https://github.com/flavorjones/loofah/issues/154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: https://github.com/flavorjones/loofah/issues/144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: https://github.com/sparklemotion/nokogiri/issues/1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: https://github.com/sparklemotion/nokogiri/issues/1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: https://github.com/sparklemotion/nokogiri/pull/1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: rack Version: 2.0.3 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8 --- Gemfile | 2 +- Gemfile.lock | 104 +++++++++++++++++++++++++-------------------------- 2 files changed, 53 insertions(+), 53 deletions(-) diff --git a/Gemfile b/Gemfile index 36f54e0..ec05313 100644 --- a/Gemfile +++ b/Gemfile @@ -12,7 +12,7 @@ gem "normalize-rails", "~> 3.0.0" gem "pg" gem "puma" gem "rack-canonical-host" -gem "rails", ">= 5.1.4" +gem "rails", "~> 5.1.6" gem "sass-rails" gem "simple_form" gem "title" diff --git a/Gemfile.lock b/Gemfile.lock index 35221c7..f3ca36a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,41 +1,41 @@ GEM remote: https://rubygems.org/ specs: - actioncable (5.1.4) - actionpack (= 5.1.4) + actioncable (5.1.6.1) + actionpack (= 5.1.6.1) nio4r (~> 2.0) websocket-driver (~> 0.6.1) - actionmailer (5.1.4) - actionpack (= 5.1.4) - actionview (= 5.1.4) - activejob (= 5.1.4) + actionmailer (5.1.6.1) + actionpack (= 5.1.6.1) + actionview (= 5.1.6.1) + activejob (= 5.1.6.1) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.1.4) - actionview (= 5.1.4) - activesupport (= 5.1.4) + actionpack (5.1.6.1) + actionview (= 5.1.6.1) + activesupport (= 5.1.6.1) rack (~> 2.0) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.1.4) - activesupport (= 5.1.4) + actionview (5.1.6.1) + activesupport (= 5.1.6.1) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.3) - activejob (5.1.4) - activesupport (= 5.1.4) + activejob (5.1.6.1) + activesupport (= 5.1.6.1) globalid (>= 0.3.6) - activemodel (5.1.4) - activesupport (= 5.1.4) - activerecord (5.1.4) - activemodel (= 5.1.4) - activesupport (= 5.1.4) + activemodel (5.1.6.1) + activesupport (= 5.1.6.1) + activerecord (5.1.6.1) + activemodel (= 5.1.6.1) + activesupport (= 5.1.6.1) arel (~> 8.0) - activesupport (5.1.4) + activesupport (5.1.6.1) concurrent-ruby (~> 1.0, >= 1.0.2) - i18n (~> 0.7) + i18n (>= 0.7, < 2) minitest (~> 5.1) tzinfo (~> 1.1) addressable (2.4.0) @@ -58,10 +58,10 @@ GEM rack-test (>= 0.5.4) xpath (~> 2.0) coderay (1.1.1) - concurrent-ruby (1.0.5) + concurrent-ruby (1.1.3) crack (0.4.3) safe_yaml (~> 1.0.0) - crass (1.0.3) + crass (1.0.4) database_cleaner (1.5.3) debug_inspector (0.0.2) diff-lcs (1.2.5) @@ -70,7 +70,7 @@ GEM dotenv-rails (2.2.1) dotenv (= 2.2.1) railties (>= 3.2, < 5.2) - erubi (1.7.0) + erubi (1.7.1) execjs (2.7.0) factory_girl (4.7.0) activesupport (>= 3.0.0) @@ -86,7 +86,7 @@ GEM activesupport (>= 4.2.0) hashdiff (0.3.0) high_voltage (3.0.0) - i18n (0.9.1) + i18n (1.2.0) concurrent-ruby (~> 1.0) jquery-rails (4.2.1) rails-dom-testing (>= 1, < 3) @@ -95,23 +95,23 @@ GEM json (2.0.2) launchy (2.4.3) addressable (~> 2.3) - loofah (2.1.1) + loofah (2.2.3) crass (~> 1.0.2) nokogiri (>= 1.5.9) - mail (2.7.0) + mail (2.7.1) mini_mime (>= 0.1.1) method_source (0.8.2) mime-types (3.1) mime-types-data (~> 3.2015) mime-types-data (3.2016.0521) - mini_mime (1.0.0) + mini_mime (1.0.1) mini_portile2 (2.3.0) - minitest (5.11.0) + minitest (5.11.3) neat (1.7.4) bourbon (>= 4.0) sass (>= 3.3) - nio4r (2.2.0) - nokogiri (1.8.1) + nio4r (2.3.1) + nokogiri (1.8.5) mini_portile2 (~> 2.3.0) normalize-rails (3.0.3) pg (0.19.0) @@ -122,38 +122,38 @@ GEM pry-rails (0.3.4) pry (>= 0.9.10) puma (3.6.0) - rack (2.0.3) + rack (2.0.6) rack-canonical-host (0.2.2) addressable (> 0, < 3) rack (>= 1.0.0, < 3) - rack-test (0.8.2) + rack-test (1.1.0) rack (>= 1.0, < 3) rack-timeout (0.4.2) - rails (5.1.4) - actioncable (= 5.1.4) - actionmailer (= 5.1.4) - actionpack (= 5.1.4) - actionview (= 5.1.4) - activejob (= 5.1.4) - activemodel (= 5.1.4) - activerecord (= 5.1.4) - activesupport (= 5.1.4) + rails (5.1.6.1) + actioncable (= 5.1.6.1) + actionmailer (= 5.1.6.1) + actionpack (= 5.1.6.1) + actionview (= 5.1.6.1) + activejob (= 5.1.6.1) + activemodel (= 5.1.6.1) + activerecord (= 5.1.6.1) + activesupport (= 5.1.6.1) bundler (>= 1.3.0) - railties (= 5.1.4) + railties (= 5.1.6.1) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) - rails-html-sanitizer (1.0.3) - loofah (~> 2.0) + rails-html-sanitizer (1.0.4) + loofah (~> 2.2, >= 2.2.2) rails_stdout_logging (0.0.5) - railties (5.1.4) - actionpack (= 5.1.4) - activesupport (= 5.1.4) + railties (5.1.6.1) + actionpack (= 5.1.6.1) + activesupport (= 5.1.6.1) method_source rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - rake (12.3.0) + rake (12.3.2) rspec-core (3.5.3) rspec-support (~> 3.5.0) rspec-expectations (3.5.0) @@ -196,21 +196,21 @@ GEM spring (1.7.2) spring-commands-rspec (1.0.4) spring (>= 0.9.1) - sprockets (3.7.1) + sprockets (3.7.2) concurrent-ruby (~> 1.0) rack (> 1, < 3) sprockets-rails (3.2.1) actionpack (>= 4.0) activesupport (>= 4.0) sprockets (>= 3.0.0) - thor (0.20.0) + thor (0.20.3) thread_safe (0.3.6) tilt (2.0.5) timecop (0.8.1) title (0.0.7) i18n rails (>= 3.1) - tzinfo (1.2.4) + tzinfo (1.2.5) thread_safe (~> 0.1) uglifier (3.0.2) execjs (>= 0.3.0, < 3) @@ -252,7 +252,7 @@ DEPENDENCIES puma rack-canonical-host rack-timeout - rails (>= 5.1.4) + rails (~> 5.1.6) rails_stdout_logging rspec-rails (~> 3.5.2) rspec_junit_formatter