Skip to content

Commit

Permalink
Bump Rails to 6.1.4.7
Browse files Browse the repository at this point in the history 
Bump version of Rails to 6.1.4.7.
In particular this updates for vulnerability
CVE-2022-21831, GHSA ID GHSA-w749-p3v6-hccq,
a high-severity vulnerability of weakness class CWE-94.
It's not clear the site is directly exploitable with it,
but our polity is to simply update instead of wasting time
doing a deep analysis to figure out if it's exploitable in our case.

Signed-off-by: David A. Wheeler <[email protected]>
  • Loading branch information
@david-a-wheeler
david-a-wheeler committed Mar 9, 2022
1 parent be06a5a commit 5a5c634
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 72 deletions.
20 changes: 10 additions & 10 deletions Gemfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ ruby File.read('.ruby-version').strip
# sure to upgrade them in sync, *including* railties.
# Loading only what we use reduces memory use & attack surface.
# gem 'actioncable' # Not used. Client/server comm channel.
gem 'actionmailer', '6.1.4.6' # Rails. Send email.
gem 'actionpack', '6.1.4.6' # Rails. MVC framework.
gem 'actionview', '6.1.4.6' # Rails. View.
gem 'activejob', '6.1.4.6' # Rails. Async jobs.
gem 'activemodel', '6.1.4.6' # Rails. Model basics.
gem 'activerecord', '6.1.4.6' # Rails. ORM and query system.
gem 'actionmailer', '6.1.4.7' # Rails. Send email.
gem 'actionpack', '6.1.4.7' # Rails. MVC framework.
gem 'actionview', '6.1.4.7' # Rails. View.
gem 'activejob', '6.1.4.7' # Rails. Async jobs.
gem 'activemodel', '6.1.4.7' # Rails. Model basics.
gem 'activerecord', '6.1.4.7' # Rails. ORM and query system.
# gem 'activestorage' # Not used. Attaches cloud files to ActiveRecord.
gem 'activesupport', '6.1.4.6' # Rails. Underlying library.
gem 'activesupport', '6.1.4.7' # Rails. Underlying library.
# gem 'activetext' # Not used. Text editor that fails to support markdown.
gem 'attr_encrypted', '3.1.0' # Encrypt email addresses
gem 'bcrypt', '3.1.16' # Security - for salted hashed interated passwords
Expand Down Expand Up @@ -74,11 +74,11 @@ gem 'puma_worker_killer', '0.3.1' # Band-aid: Restart to limit memory use
gem 'rack-attack', '6.5.0' # Implement rate limiting
gem 'rack-cors', '1.1.1' # Enable CORS so JavaScript clients can get JSON
gem 'rack-headers_filter', '0.0.1' # Filter out "dangerous" headers
# We no longer say: gem 'rails', '6.1.4.6' # Our web framework
# We no longer say: gem 'rails', '6.1.4.7' # Our web framework
# but instead load only what we use (to reduce memory use and attack surface).
# We load sprockets-rails, but its version number isn't kept in sync.
# Note: Update the gem versions of action* and railties in sync.
gem 'railties', '6.1.4.6' # Rails. Rails core, loads rest of Rails
gem 'railties', '6.1.4.7' # Rails. Rails core, loads rest of Rails
gem 'rails-i18n', '6.0.0' # Localizations for Rails built-ins
gem 'redcarpet', '3.5.1' # Process markdown in form textareas (justifications)
gem 'sass-rails', '5.1.0', require: false # For .scss files (CSS extension)
Expand Down Expand Up @@ -134,7 +134,7 @@ group :development do
# We bring in full rails in development in case we need it for debugging;
# this also keeps some gems happy that don't realize that loading
# only *parts* of Rails is fine:
gem 'rails', '6.1.4.6' # Rails (our web framework)
gem 'rails', '6.1.4.7' # Rails (our web framework)
gem 'translation', '1.23' # translation.io - translation service
gem 'web-console', '4.2.0' # In-browser debugger; use <% console %> or console
end
Expand Down
124 changes: 62 additions & 62 deletions Gemfile.lock
View file
Original file line number Diff line number Diff line change
@@ -1,60 +1,60 @@
GEM
remote: https://rubygems.org/
specs:
actioncable (6.1.4.6)
actionpack (= 6.1.4.6)
activesupport (= 6.1.4.6)
actioncable (6.1.4.7)
actionpack (= 6.1.4.7)
activesupport (= 6.1.4.7)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
actionmailbox (6.1.4.6)
actionpack (= 6.1.4.6)
activejob (= 6.1.4.6)
activerecord (= 6.1.4.6)
activestorage (= 6.1.4.6)
activesupport (= 6.1.4.6)
actionmailbox (6.1.4.7)
actionpack (= 6.1.4.7)
activejob (= 6.1.4.7)
activerecord (= 6.1.4.7)
activestorage (= 6.1.4.7)
activesupport (= 6.1.4.7)
mail (>= 2.7.1)
actionmailer (6.1.4.6)
actionpack (= 6.1.4.6)
actionview (= 6.1.4.6)
activejob (= 6.1.4.6)
activesupport (= 6.1.4.6)
actionmailer (6.1.4.7)
actionpack (= 6.1.4.7)
actionview (= 6.1.4.7)
activejob (= 6.1.4.7)
activesupport (= 6.1.4.7)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
actionpack (6.1.4.6)
actionview (= 6.1.4.6)
activesupport (= 6.1.4.6)
actionpack (6.1.4.7)
actionview (= 6.1.4.7)
activesupport (= 6.1.4.7)
rack (~> 2.0, >= 2.0.9)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0)
actiontext (6.1.4.6)
actionpack (= 6.1.4.6)
activerecord (= 6.1.4.6)
activestorage (= 6.1.4.6)
activesupport (= 6.1.4.6)
actiontext (6.1.4.7)
actionpack (= 6.1.4.7)
activerecord (= 6.1.4.7)
activestorage (= 6.1.4.7)
activesupport (= 6.1.4.7)
nokogiri (>= 1.8.5)
actionview (6.1.4.6)
activesupport (= 6.1.4.6)
actionview (6.1.4.7)
activesupport (= 6.1.4.7)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.1, >= 1.2.0)
activejob (6.1.4.6)
activesupport (= 6.1.4.6)
activejob (6.1.4.7)
activesupport (= 6.1.4.7)
globalid (>= 0.3.6)
activemodel (6.1.4.6)
activesupport (= 6.1.4.6)
activerecord (6.1.4.6)
activemodel (= 6.1.4.6)
activesupport (= 6.1.4.6)
activestorage (6.1.4.6)
actionpack (= 6.1.4.6)
activejob (= 6.1.4.6)
activerecord (= 6.1.4.6)
activesupport (= 6.1.4.6)
activemodel (6.1.4.7)
activesupport (= 6.1.4.7)
activerecord (6.1.4.7)
activemodel (= 6.1.4.7)
activesupport (= 6.1.4.7)
activestorage (6.1.4.7)
actionpack (= 6.1.4.7)
activejob (= 6.1.4.7)
activerecord (= 6.1.4.7)
activesupport (= 6.1.4.7)
marcel (~> 1.0.0)
mini_mime (>= 1.1.0)
activesupport (6.1.4.6)
activesupport (6.1.4.7)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
Expand Down Expand Up @@ -313,20 +313,20 @@ GEM
rack-test (1.1.0)
rack (>= 1.0, < 3)
rack-timeout (0.6.0)
rails (6.1.4.6)
actioncable (= 6.1.4.6)
actionmailbox (= 6.1.4.6)
actionmailer (= 6.1.4.6)
actionpack (= 6.1.4.6)
actiontext (= 6.1.4.6)
actionview (= 6.1.4.6)
activejob (= 6.1.4.6)
activemodel (= 6.1.4.6)
activerecord (= 6.1.4.6)
activestorage (= 6.1.4.6)
activesupport (= 6.1.4.6)
rails (6.1.4.7)
actioncable (= 6.1.4.7)
actionmailbox (= 6.1.4.7)
actionmailer (= 6.1.4.7)
actionpack (= 6.1.4.7)
actiontext (= 6.1.4.7)
actionview (= 6.1.4.7)
activejob (= 6.1.4.7)
activemodel (= 6.1.4.7)
activerecord (= 6.1.4.7)
activestorage (= 6.1.4.7)
activesupport (= 6.1.4.7)
bundler (>= 1.15.0)
railties (= 6.1.4.6)
railties (= 6.1.4.7)
sprockets-rails (>= 2.0.0)
rails-controller-testing (1.0.5)
actionpack (>= 5.0.1.rc1)
Expand All @@ -353,9 +353,9 @@ GEM
ruby-progressbar
rails_serve_static_assets (0.0.5)
rails_stdout_logging (0.0.5)
railties (6.1.4.6)
actionpack (= 6.1.4.6)
activesupport (= 6.1.4.6)
railties (6.1.4.7)
actionpack (= 6.1.4.7)
activesupport (= 6.1.4.7)
method_source
rake (>= 0.13)
thor (~> 1.0)
Expand Down Expand Up @@ -474,13 +474,13 @@ PLATFORMS
ruby

DEPENDENCIES
actionmailer (= 6.1.4.6)
actionpack (= 6.1.4.6)
actionview (= 6.1.4.6)
activejob (= 6.1.4.6)
activemodel (= 6.1.4.6)
activerecord (= 6.1.4.6)
activesupport (= 6.1.4.6)
actionmailer (= 6.1.4.7)
actionpack (= 6.1.4.7)
actionview (= 6.1.4.7)
activejob (= 6.1.4.7)
activemodel (= 6.1.4.7)
activerecord (= 6.1.4.7)
activesupport (= 6.1.4.7)
attr_encrypted (= 3.1.0)
awesome_print (= 1.9.2)
bcrypt (= 3.1.16)
Expand Down Expand Up @@ -530,11 +530,11 @@ DEPENDENCIES
rack-cors (= 1.1.1)
rack-headers_filter (= 0.0.1)
rack-timeout (= 0.6.0)
rails (= 6.1.4.6)
rails (= 6.1.4.7)
rails-controller-testing (= 1.0.5)
rails-i18n (= 6.0.0)
rails_12factor (= 0.0.3)
railties (= 6.1.4.6)
railties (= 6.1.4.7)
redcarpet (= 3.5.1)
rubocop (= 1.0.0)
rubocop-performance (= 1.10.2)
Expand Down

0 comments on commit 5a5c634

Please sign in to comment.