From f30e3a554af2b6ca180d1da26cf3574518adef3a Mon Sep 17 00:00:00 2001 From: Adrian Cann Date: Sat, 10 Oct 2020 17:20:57 -0400 Subject: [PATCH 1/6] Update rails based on CVE Name: actionpack Version: 5.2.1 Advisory: CVE-2020-8166 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.2.1 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.2.1 Advisory: CVE-2020-15169 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.2.1 Advisory: CVE-2020-5267 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.2.1 Advisory: CVE-2020-8167 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.2.1 Advisory: CVE-2019-5419 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: actionview Version: 5.2.1 Advisory: CVE-2019-5418 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: activejob Version: 5.2.1 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activestorage Version: 5.2.1 Advisory: CVE-2018-16477 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg Title: Bypass vulnerability in Active Storage Solution: upgrade to >= 5.2.1.1 Name: activestorage Version: 5.2.1 Advisory: CVE-2020-8162 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ Title: Circumvention of file size limits in ActiveStorage Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: activesupport Version: 5.2.1 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 --- Gemfile | 2 +- Gemfile.lock | 122 +++++++++++++++++++++++++-------------------------- 2 files changed, 62 insertions(+), 62 deletions(-) diff --git a/Gemfile b/Gemfile index 2163b45..d406169 100644 --- a/Gemfile +++ b/Gemfile @@ -24,7 +24,7 @@ gem "normalize-rails" gem "pg" gem 'puma' gem "rack-canonical-host" -gem "rails", "~> 5.2.1" +gem "rails", "~> 5.2.4.3" gem "recipient_interceptor" gem "redcarpet" gem "refills" diff --git a/Gemfile.lock b/Gemfile.lock index c29e5f1..3c51fbc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,43 +1,43 @@ GEM remote: https://rubygems.org/ specs: - actioncable (5.2.1) - actionpack (= 5.2.1) + actioncable (5.2.4.4) + actionpack (= 5.2.4.4) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailer (5.2.1) - actionpack (= 5.2.1) - actionview (= 5.2.1) - activejob (= 5.2.1) + actionmailer (5.2.4.4) + actionpack (= 5.2.4.4) + actionview (= 5.2.4.4) + activejob (= 5.2.4.4) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.2.1) - actionview (= 5.2.1) - activesupport (= 5.2.1) - rack (~> 2.0) + actionpack (5.2.4.4) + actionview (= 5.2.4.4) + activesupport (= 5.2.4.4) + rack (~> 2.0, >= 2.0.8) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.2.1) - activesupport (= 5.2.1) + actionview (5.2.4.4) + activesupport (= 5.2.4.4) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.3) - activejob (5.2.1) - activesupport (= 5.2.1) + activejob (5.2.4.4) + activesupport (= 5.2.4.4) globalid (>= 0.3.6) - activemodel (5.2.1) - activesupport (= 5.2.1) - activerecord (5.2.1) - activemodel (= 5.2.1) - activesupport (= 5.2.1) + activemodel (5.2.4.4) + activesupport (= 5.2.4.4) + activerecord (5.2.4.4) + activemodel (= 5.2.4.4) + activesupport (= 5.2.4.4) arel (>= 9.0) - activestorage (5.2.1) - actionpack (= 5.2.1) - activerecord (= 5.2.1) + activestorage (5.2.4.4) + actionpack (= 5.2.4.4) + activerecord (= 5.2.4.4) marcel (~> 0.3.1) - activesupport (5.2.1) + activesupport (5.2.4.4) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) @@ -66,7 +66,7 @@ GEM sass (~> 3.4) thor (~> 0.19) browser (2.2.0) - builder (3.2.3) + builder (3.2.4) bundler-audit (0.5.0) bundler (~> 1.2) thor (~> 0.18) @@ -110,10 +110,10 @@ GEM coffee-script-source execjs coffee-script-source (1.12.2) - concurrent-ruby (1.0.5) + concurrent-ruby (1.1.7) crack (0.4.3) safe_yaml (~> 1.0.0) - crass (1.0.4) + crass (1.0.6) database_cleaner (1.7.0) delayed_job (4.1.5) activesupport (>= 3.0, < 5.3) @@ -131,7 +131,7 @@ GEM thread thread_safe encryptor (3.0.0) - erubi (1.7.1) + erubi (1.9.0) erubis (2.7.0) execjs (2.7.0) factory_bot (4.11.1) @@ -153,11 +153,11 @@ GEM faraday_middleware (~> 0.9) faraday_middleware-parse_oj (~> 0.3) launchy (~> 2.4) - globalid (0.4.1) + globalid (0.4.2) activesupport (>= 4.2.0) hashdiff (0.3.7) highline (1.7.8) - i18n (1.1.1) + i18n (1.8.5) concurrent-ruby (~> 1.0) i18n-tasks (0.9.5) activesupport (>= 4.0.2) @@ -177,7 +177,7 @@ GEM json (2.0.2) launchy (2.4.3) addressable (~> 2.3) - loofah (2.2.2) + loofah (2.7.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.1) @@ -188,10 +188,10 @@ GEM mime-types (3.1) mime-types-data (~> 3.2015) mime-types-data (3.2016.0521) - mimemagic (0.3.2) - mini_mime (1.0.1) - mini_portile2 (2.3.0) - minitest (5.11.3) + mimemagic (0.3.5) + mini_mime (1.0.2) + mini_portile2 (2.4.0) + minitest (5.14.2) multipart-post (2.0.0) neat (1.7.4) bourbon (>= 4.0) @@ -199,9 +199,9 @@ GEM net-scp (1.2.1) net-ssh (>= 2.6.5) net-ssh (4.1.0) - nio4r (2.3.1) - nokogiri (1.8.5) - mini_portile2 (~> 2.3.0) + nio4r (2.5.4) + nokogiri (1.10.10) + mini_portile2 (~> 2.4.0) normalize-rails (3.0.3) oj (2.18.5) parser (2.3.1.4) @@ -215,38 +215,38 @@ GEM pry (>= 0.9.10) public_suffix (3.0.2) puma (3.11.4) - rack (2.0.5) + rack (2.2.3) rack-canonical-host (0.2.2) addressable (> 0, < 3) rack (>= 1.0.0, < 3) rack-test (1.1.0) rack (>= 1.0, < 3) rack-timeout (0.4.2) - rails (5.2.1) - actioncable (= 5.2.1) - actionmailer (= 5.2.1) - actionpack (= 5.2.1) - actionview (= 5.2.1) - activejob (= 5.2.1) - activemodel (= 5.2.1) - activerecord (= 5.2.1) - activestorage (= 5.2.1) - activesupport (= 5.2.1) + rails (5.2.4.4) + actioncable (= 5.2.4.4) + actionmailer (= 5.2.4.4) + actionpack (= 5.2.4.4) + actionview (= 5.2.4.4) + activejob (= 5.2.4.4) + activemodel (= 5.2.4.4) + activerecord (= 5.2.4.4) + activestorage (= 5.2.4.4) + activesupport (= 5.2.4.4) bundler (>= 1.3.0) - railties (= 5.2.1) + railties (= 5.2.4.4) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) - rails-html-sanitizer (1.0.4) - loofah (~> 2.2, >= 2.2.2) - railties (5.2.1) - actionpack (= 5.2.1) - activesupport (= 5.2.1) + rails-html-sanitizer (1.3.0) + loofah (~> 2.3) + railties (5.2.4.4) + actionpack (= 5.2.4.4) + activesupport (= 5.2.4.4) method_source rake (>= 0.8.7) thor (>= 0.19.0, < 2.0) - rake (12.3.1) + rake (13.0.1) rb-fsevent (0.10.3) rb-inotify (0.9.10) ffi (>= 0.5.0, < 2) @@ -304,7 +304,7 @@ GEM sprockets (3.7.2) concurrent-ruby (~> 1.0) rack (> 1, < 3) - sprockets-rails (3.2.1) + sprockets-rails (3.2.2) actionpack (>= 4.0) activesupport (>= 4.0) sprockets (>= 3.0.0) @@ -319,7 +319,7 @@ GEM tins (~> 1.0) terminal-table (1.7.3) unicode-display_width (~> 1.1.1) - thor (0.20.0) + thor (0.20.3) thread (0.2.2) thread_safe (0.3.6) tilt (2.0.8) @@ -328,7 +328,7 @@ GEM title (0.0.7) i18n rails (>= 3.1) - tzinfo (1.2.5) + tzinfo (1.2.7) thread_safe (~> 0.1) uglifier (3.0.2) execjs (>= 0.3.0, < 3) @@ -342,9 +342,9 @@ GEM addressable (>= 2.3.6) crack (>= 0.3.2) hashdiff - websocket-driver (0.7.0) + websocket-driver (0.7.3) websocket-extensions (>= 0.1.0) - websocket-extensions (0.1.3) + websocket-extensions (0.1.5) whenever (0.9.7) chronic (>= 0.6.3) xpath (2.1.0) @@ -388,7 +388,7 @@ DEPENDENCIES puma rack-canonical-host rack-timeout - rails (~> 5.2.1) + rails (~> 5.2.4.3) recipient_interceptor redcarpet refills From ebacc731efefa0be93faf34fde393c7f4d463c59 Mon Sep 17 00:00:00 2001 From: Adrian Cann Date: Sat, 10 Oct 2020 17:23:25 -0400 Subject: [PATCH 2/6] Update jquery-rails for CVE ruby-advisory-db: 472 advisories Name: jquery-rails Version: 4.3.3 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 3c51fbc..ef2817d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -170,7 +170,7 @@ GEM term-ansicolor (>= 1.3.2) terminal-table (>= 1.5.1) io-like (0.3.0) - jquery-rails (4.3.3) + jquery-rails (4.4.0) rails-dom-testing (>= 1, < 3) railties (>= 4.2.0) thor (>= 0.14, < 2.0) From 26f6685262c0eac966671492198f012e68159f1c Mon Sep 17 00:00:00 2001 From: Adrian Cann Date: Sat, 10 Oct 2020 17:24:19 -0400 Subject: [PATCH 3/6] Update json gem for CVE Name: json Version: 2.0.2 Advisory: CVE-2020-10663 Criticality: Unknown URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ Title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Solution: upgrade to >= 2.3.0 --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ef2817d..1ccef0c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -174,7 +174,7 @@ GEM rails-dom-testing (>= 1, < 3) railties (>= 4.2.0) thor (>= 0.14, < 2.0) - json (2.0.2) + json (2.3.1) launchy (2.4.3) addressable (~> 2.3) loofah (2.7.0) From 923cfba771e588cfa164c54bf99544675d34a23b Mon Sep 17 00:00:00 2001 From: Adrian Cann Date: Sat, 10 Oct 2020 17:25:19 -0400 Subject: [PATCH 4/6] Update puma gem Name: puma Version: 3.11.4 Advisory: CVE-2019-16770 Criticality: High URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 Title: Keepalive thread overload/DoS in puma Solution: upgrade to ~> 3.12.2, >= 4.3.1 --- Gemfile.lock | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 1ccef0c..bab0e48 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -214,7 +214,8 @@ GEM pry-rails (0.3.4) pry (>= 0.9.10) public_suffix (3.0.2) - puma (3.11.4) + puma (5.0.2) + nio4r (~> 2.0) rack (2.2.3) rack-canonical-host (0.2.2) addressable (> 0, < 3) From 1d640fcffd7dee206d363c5d70b43269b36968cc Mon Sep 17 00:00:00 2001 From: Adrian Cann Date: Sat, 10 Oct 2020 17:31:36 -0400 Subject: [PATCH 5/6] Update rubyzip gem for CVE ruby-advisory-db: 472 advisories Name: rubyzip Version: 1.2.2 Advisory: CVE-2019-16892 Criticality: Unknown URL: https://github.com/rubyzip/rubyzip/pull/403 Title: Denial of Service in rubyzip ("zip bombs") Solution: upgrade to >= 1.3.0 --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index bab0e48..d27b743 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -272,7 +272,7 @@ GEM rspec-mocks (~> 3.8.0) rspec-support (~> 3.8.0) rspec-support (3.8.0) - rubyzip (1.2.2) + rubyzip (1.3.0) safe_yaml (1.0.4) sass (3.6.0) sass-listen (~> 4.0.0) From 8c7e733a5fe6a93f8cba7acd74f46712ec07c574 Mon Sep 17 00:00:00 2001 From: Adrian Cann Date: Sat, 10 Oct 2020 17:32:29 -0400 Subject: [PATCH 6/6] Update simple_form to fix CVE Name: simple_form Version: 4.0.1 Advisory: CVE-2019-16676 Criticality: Unknown URL: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx Title: simple_form Gem for Ruby Incorrect Access Control for forms based on user input Solution: upgrade to >= 5.0 --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index d27b743..d259a03 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -290,7 +290,7 @@ GEM rubyzip (~> 1.2) shoulda-matchers (3.1.1) activesupport (>= 4.0.0) - simple_form (4.0.1) + simple_form (5.0.3) actionpack (>= 5.0) activemodel (>= 5.0) simplecov (0.12.0)