Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚨 [security] Update all of rails: 5.2.4.3 → 5.2.4.4 (patch) #643

Merged
merged 1 commit into from
Sep 10, 2020
Merged

🚨 [security] Update all of rails: 5.2.4.3 → 5.2.4.4 (patch) #643

merged 1 commit into from
Sep 10, 2020

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Sep 9, 2020

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (5.2.4.3 → 5.2.4.4) · Repo

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ actioncable (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ actionmailer (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ actionpack (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ actionview (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Security Advisories 🚨

🚨 Potential XSS vulnerability in Action View

There is a potential Cross-Site Scripting (XSS) vulnerability in Action
View's translation helpers. Views that allow the user to control the
default (not found) value of the t and translate helpers could be
susceptible to XSS attacks.

Impact

When an HTML-unsafe string is passed as the default for a missing
translation key named html or ending in _html,
the default string is incorrectly marked as HTML-safe and not escaped.
Vulnerable code may look like the following examples:

<%# The welcome_html translation is not defined for the current locale: %>
<%= t("welcome_html", default: untrusted_user_controlled_string) %>

<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>

<%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %>

Workarounds

Impacted users who can’t upgrade to a patched Rails version can avoid
this issue by manually escaping default translations with the
html_escape helper (aliased as h):

<%= t("welcome_html", default: h(untrusted_user_controlled_string)) %>
Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ activejob (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ activemodel (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ activerecord (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ activestorage (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ activesupport (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ concurrent-ruby (indirect, 1.1.6 → 1.1.7) · Repo · Changelog

Release Notes

1.1.7 (from changelog)

concurrent-ruby:

  • (#879) Consider falsy value on Concurrent::Map#compute_if_absent for fast non-blocking path
  • (#876) Reset Async queue on forking, makes Async fork-safe
  • (#856) Avoid running problematic code in RubyThreadLocalVar on MRI that occasionally results in segfault
  • (#853) Introduce ThreadPoolExecutor without a Queue

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 42 commits:

↗️ i18n (indirect, 1.8.2 → 1.8.5) · Repo · Changelog

Release Notes

1.8.4

  • Fixed issue where fallbacks were not working when I18n.fallbacks was an array - #534
  • Fixed conditional around deprecating constant of INTERPOLATION_PATTERN - #531

1.8.3

Compare view: v1.8.2...v1.8.3

Features / Improvements

  • Memory and speed improvements - #527+ #528
  • Add option to disable fallbacks for I18n.exists? check - #482
  • Add an on_fallback hook to allow users to be notified when a fallback happens - #520

Bug Fixes

  • Fix an issue with deep_merge and chain fallback backends - #499 & #509
  • Fix an issue with Rails ordinal number proc and keyword splatting - #521
  • Pass options as keyword arguments to translation procs - #529
  • Fix pluralize on unknown locale with attributes - #519

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 49 commits:

↗️ loofah (indirect, 2.5.0 → 2.7.0) · Repo · Changelog

Release Notes

2.7.0

2.7.0 / 2020-08-26

Features

  • Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

Fixes

  • Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

2.6.0 (from changelog)

Features

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ minitest (indirect, 5.14.1 → 5.14.2) · Repo · Changelog

Release Notes

5.14.2 (from changelog)

  • 1 bug fix:

    • Bumped ruby version to include 3.0 (trunk).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ nio4r (indirect, 2.5.2 → 2.5.3) · Repo · Changelog

Release Notes

2.5.3 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 37 commits:

↗️ nokogiri (indirect, 1.10.9 → 1.10.10) · Repo · Changelog

Release Notes

1.10.10

1.10.10 / 2020-07-06

Features

  • [MRI] Cross-built Windows gems now support Ruby 2.7 [#2029]. Note that prior to this release, the v1.11.x prereleases provided this support.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ rack (indirect, 2.2.2 → 2.2.3) · Repo · Changelog

Security Advisories 🚨

🚨 Percent-encoded cookies can be used to overwrite existing prefixed cookie names

It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected: rack < 2.2.3, rack < 2.1.4
Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions: rack >= 2.2.3, rack >= 2.1.4

Impact

An attacker may be able to trick a vulnerable application into processing an
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.

Workarounds

If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:

module Rack
  module Utils
    module_function def parse_cookies_header(header)
      return {} unless header
      header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
        next if cookie.empty?
        key, value = cookie.split('=', 2)
        cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
      end
    end
  end
end
Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ railties (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ websocket-driver (indirect, 0.7.1 → 0.7.3) · Repo · Changelog

Release Notes

0.7.3 (from changelog)

  • Let the client accept HTTP responses that have an empty reason phrase following the 101 status code

0.7.2 (from changelog)

  • Emit ping and pong events from the Server driver
  • Handle draft-76 handshakes correctly if the request's body is a frozen string

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ websocket-extensions (indirect, 0.1.4 → 0.1.5) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service in websocket-extensions (RubyGem)

Impact

The ReDoS flaw allows an attacker to exhaust the server's capacity to process
incoming requests by sending a WebSocket handshake request containing a header
of the following form:

Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...

That is, a header containing an unclosed string parameter value whose content is
a repeating two-byte sequence of a backslash and some other character. The
parser takes exponential time to reject this header as invalid, and this will
block the processing of any other work on the same thread. Thus if you are
running a single-threaded server, such a request can render your service
completely unavailable.

Workarounds

There are no known work-arounds other than disabling any public-facing WebSocket functionality you are operating.

Release Notes

0.1.5 (from changelog)

  • Remove a ReDoS vulnerability in the header parser (CVE-2020-7663)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Sep 9, 2020
@hennevogel hennevogel merged commit c94195a into master Sep 10, 2020
@depfu depfu bot deleted the depfu/update/group/rails-5.2.4.4 branch September 10, 2020 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
depfu
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@hennevogel