From 03226f1d8848ae66deb9a9c5e6f348d28e2022d0 Mon Sep 17 00:00:00 2001 From: Nick Charlton Date: Tue, 27 Jun 2023 15:41:44 +0100 Subject: [PATCH] Upgrade Rails from 7.0.4.3 to 7.0.5.1 (#2395) This fixes a vulnerability: Name: actionpack Version: 7.0.4.3 CVE: CVE-2023-28362 Criticality: Unknown URL: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132 Title: Possible XSS via User Supplied Values to redirect_to Solution: upgrade to '~> 6.1.7.4', '>= 7.0.5.1' --- Gemfile.lock | 131 ++++++++++++++++++++++++++------------------------- 1 file changed, 66 insertions(+), 65 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 2ff01d72e..e91d3d68d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -13,67 +13,67 @@ PATH GEM remote: https://rubygems.org/ specs: - actioncable (7.0.4.3) - actionpack (= 7.0.4.3) - activesupport (= 7.0.4.3) + actioncable (7.0.5.1) + actionpack (= 7.0.5.1) + activesupport (= 7.0.5.1) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (7.0.4.3) - actionpack (= 7.0.4.3) - activejob (= 7.0.4.3) - activerecord (= 7.0.4.3) - activestorage (= 7.0.4.3) - activesupport (= 7.0.4.3) + actionmailbox (7.0.5.1) + actionpack (= 7.0.5.1) + activejob (= 7.0.5.1) + activerecord (= 7.0.5.1) + activestorage (= 7.0.5.1) + activesupport (= 7.0.5.1) mail (>= 2.7.1) net-imap net-pop net-smtp - actionmailer (7.0.4.3) - actionpack (= 7.0.4.3) - actionview (= 7.0.4.3) - activejob (= 7.0.4.3) - activesupport (= 7.0.4.3) + actionmailer (7.0.5.1) + actionpack (= 7.0.5.1) + actionview (= 7.0.5.1) + activejob (= 7.0.5.1) + activesupport (= 7.0.5.1) mail (~> 2.5, >= 2.5.4) net-imap net-pop net-smtp rails-dom-testing (~> 2.0) - actionpack (7.0.4.3) - actionview (= 7.0.4.3) - activesupport (= 7.0.4.3) - rack (~> 2.0, >= 2.2.0) + actionpack (7.0.5.1) + actionview (= 7.0.5.1) + activesupport (= 7.0.5.1) + rack (~> 2.0, >= 2.2.4) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (7.0.4.3) - actionpack (= 7.0.4.3) - activerecord (= 7.0.4.3) - activestorage (= 7.0.4.3) - activesupport (= 7.0.4.3) + actiontext (7.0.5.1) + actionpack (= 7.0.5.1) + activerecord (= 7.0.5.1) + activestorage (= 7.0.5.1) + activesupport (= 7.0.5.1) globalid (>= 0.6.0) nokogiri (>= 1.8.5) - actionview (7.0.4.3) - activesupport (= 7.0.4.3) + actionview (7.0.5.1) + activesupport (= 7.0.5.1) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (7.0.4.3) - activesupport (= 7.0.4.3) + activejob (7.0.5.1) + activesupport (= 7.0.5.1) globalid (>= 0.3.6) - activemodel (7.0.4.3) - activesupport (= 7.0.4.3) - activerecord (7.0.4.3) - activemodel (= 7.0.4.3) - activesupport (= 7.0.4.3) - activestorage (7.0.4.3) - actionpack (= 7.0.4.3) - activejob (= 7.0.4.3) - activerecord (= 7.0.4.3) - activesupport (= 7.0.4.3) + activemodel (7.0.5.1) + activesupport (= 7.0.5.1) + activerecord (7.0.5.1) + activemodel (= 7.0.5.1) + activesupport (= 7.0.5.1) + activestorage (7.0.5.1) + actionpack (= 7.0.5.1) + activejob (= 7.0.5.1) + activerecord (= 7.0.5.1) + activesupport (= 7.0.5.1) marcel (~> 1.0) mini_mime (>= 1.1.0) - activesupport (7.0.4.3) + activesupport (7.0.5.1) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) @@ -150,7 +150,7 @@ GEM activesupport (>= 5.0) hashdiff (1.0.1) highline (2.1.0) - i18n (1.12.0) + i18n (1.14.1) concurrent-ruby (~> 1.0) i18n-tasks (1.0.12) activesupport (>= 4.0.2) @@ -185,9 +185,9 @@ GEM kgio (2.11.4) launchy (2.5.2) addressable (~> 2.8) - loofah (2.20.0) + loofah (2.21.3) crass (~> 1.0.2) - nokogiri (>= 1.5.9) + nokogiri (>= 1.12.0) mail (2.8.1) mini_mime (>= 0.1.1) net-imap @@ -198,8 +198,8 @@ GEM method_source (1.0.0) mini_mime (1.1.2) mini_portile2 (2.8.2) - minitest (5.18.0) - net-imap (0.3.4) + minitest (5.18.1) + net-imap (0.3.6) date net-protocol net-pop (0.1.2) @@ -221,36 +221,37 @@ GEM public_suffix (5.0.1) pundit (2.3.0) activesupport (>= 3.0.0) - racc (1.7.0) + racc (1.7.1) rack (2.2.7) rack-test (2.1.0) rack (>= 1.3) rack-timeout (0.6.3) - rails (7.0.4.3) - actioncable (= 7.0.4.3) - actionmailbox (= 7.0.4.3) - actionmailer (= 7.0.4.3) - actionpack (= 7.0.4.3) - actiontext (= 7.0.4.3) - actionview (= 7.0.4.3) - activejob (= 7.0.4.3) - activemodel (= 7.0.4.3) - activerecord (= 7.0.4.3) - activestorage (= 7.0.4.3) - activesupport (= 7.0.4.3) + rails (7.0.5.1) + actioncable (= 7.0.5.1) + actionmailbox (= 7.0.5.1) + actionmailer (= 7.0.5.1) + actionpack (= 7.0.5.1) + actiontext (= 7.0.5.1) + actionview (= 7.0.5.1) + activejob (= 7.0.5.1) + activemodel (= 7.0.5.1) + activerecord (= 7.0.5.1) + activestorage (= 7.0.5.1) + activesupport (= 7.0.5.1) bundler (>= 1.15.0) - railties (= 7.0.4.3) + railties (= 7.0.5.1) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) - rails-html-sanitizer (1.5.0) - loofah (~> 2.19, >= 2.19.1) + rails-html-sanitizer (1.6.0) + loofah (~> 2.21) + nokogiri (~> 1.14) rails-i18n (7.0.6) i18n (>= 0.7, < 2) railties (>= 6.0.0, < 8) - railties (7.0.4.3) - actionpack (= 7.0.4.3) - activesupport (= 7.0.4.3) + railties (7.0.5.1) + actionpack (= 7.0.5.1) + activesupport (= 7.0.5.1) method_source rake (>= 12.2) thor (~> 1.0) @@ -307,10 +308,10 @@ GEM sprockets (>= 3.0.0) terminal-table (3.0.2) unicode-display_width (>= 1.1.1, < 3) - thor (1.2.1) + thor (1.2.2) tilt (2.1.0) timecop (0.9.6) - timeout (0.3.2) + timeout (0.4.0) tzinfo (2.0.6) concurrent-ruby (~> 1.0) uglifier (4.2.0) @@ -335,7 +336,7 @@ GEM xpath (3.2.0) nokogiri (~> 1.8) yard (0.9.34) - zeitwerk (2.6.7) + zeitwerk (2.6.8) PLATFORMS ruby