From 5a5c6341553a7b27f7d4a24fa3af29e0019f004c Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Wed, 9 Mar 2022 16:20:31 -0500 Subject: [PATCH] Bump Rails to 6.1.4.7 Bump version of Rails to 6.1.4.7. In particular this updates for vulnerability CVE-2022-21831, GHSA ID GHSA-w749-p3v6-hccq, a high-severity vulnerability of weakness class CWE-94. It's not clear the site is directly exploitable with it, but our polity is to simply update instead of wasting time doing a deep analysis to figure out if it's exploitable in our case. Signed-off-by: David A. Wheeler --- Gemfile | 20 ++++----- Gemfile.lock | 124 +++++++++++++++++++++++++-------------------------- 2 files changed, 72 insertions(+), 72 deletions(-) diff --git a/Gemfile b/Gemfile index d9b8acfcd..38c5b3168 100644 --- a/Gemfile +++ b/Gemfile @@ -15,14 +15,14 @@ ruby File.read('.ruby-version').strip # sure to upgrade them in sync, *including* railties. # Loading only what we use reduces memory use & attack surface. # gem 'actioncable' # Not used. Client/server comm channel. -gem 'actionmailer', '6.1.4.6' # Rails. Send email. -gem 'actionpack', '6.1.4.6' # Rails. MVC framework. -gem 'actionview', '6.1.4.6' # Rails. View. -gem 'activejob', '6.1.4.6' # Rails. Async jobs. -gem 'activemodel', '6.1.4.6' # Rails. Model basics. -gem 'activerecord', '6.1.4.6' # Rails. ORM and query system. +gem 'actionmailer', '6.1.4.7' # Rails. Send email. +gem 'actionpack', '6.1.4.7' # Rails. MVC framework. +gem 'actionview', '6.1.4.7' # Rails. View. +gem 'activejob', '6.1.4.7' # Rails. Async jobs. +gem 'activemodel', '6.1.4.7' # Rails. Model basics. +gem 'activerecord', '6.1.4.7' # Rails. ORM and query system. # gem 'activestorage' # Not used. Attaches cloud files to ActiveRecord. -gem 'activesupport', '6.1.4.6' # Rails. Underlying library. +gem 'activesupport', '6.1.4.7' # Rails. Underlying library. # gem 'activetext' # Not used. Text editor that fails to support markdown. gem 'attr_encrypted', '3.1.0' # Encrypt email addresses gem 'bcrypt', '3.1.16' # Security - for salted hashed interated passwords @@ -74,11 +74,11 @@ gem 'puma_worker_killer', '0.3.1' # Band-aid: Restart to limit memory use gem 'rack-attack', '6.5.0' # Implement rate limiting gem 'rack-cors', '1.1.1' # Enable CORS so JavaScript clients can get JSON gem 'rack-headers_filter', '0.0.1' # Filter out "dangerous" headers -# We no longer say: gem 'rails', '6.1.4.6' # Our web framework +# We no longer say: gem 'rails', '6.1.4.7' # Our web framework # but instead load only what we use (to reduce memory use and attack surface). # We load sprockets-rails, but its version number isn't kept in sync. # Note: Update the gem versions of action* and railties in sync. -gem 'railties', '6.1.4.6' # Rails. Rails core, loads rest of Rails +gem 'railties', '6.1.4.7' # Rails. Rails core, loads rest of Rails gem 'rails-i18n', '6.0.0' # Localizations for Rails built-ins gem 'redcarpet', '3.5.1' # Process markdown in form textareas (justifications) gem 'sass-rails', '5.1.0', require: false # For .scss files (CSS extension) @@ -134,7 +134,7 @@ group :development do # We bring in full rails in development in case we need it for debugging; # this also keeps some gems happy that don't realize that loading # only *parts* of Rails is fine: - gem 'rails', '6.1.4.6' # Rails (our web framework) + gem 'rails', '6.1.4.7' # Rails (our web framework) gem 'translation', '1.23' # translation.io - translation service gem 'web-console', '4.2.0' # In-browser debugger; use <% console %> or console end diff --git a/Gemfile.lock b/Gemfile.lock index 58d7ba23f..c13542fe8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,60 +1,60 @@ GEM remote: https://rubygems.org/ specs: - actioncable (6.1.4.6) - actionpack (= 6.1.4.6) - activesupport (= 6.1.4.6) + actioncable (6.1.4.7) + actionpack (= 6.1.4.7) + activesupport (= 6.1.4.7) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (6.1.4.6) - actionpack (= 6.1.4.6) - activejob (= 6.1.4.6) - activerecord (= 6.1.4.6) - activestorage (= 6.1.4.6) - activesupport (= 6.1.4.6) + actionmailbox (6.1.4.7) + actionpack (= 6.1.4.7) + activejob (= 6.1.4.7) + activerecord (= 6.1.4.7) + activestorage (= 6.1.4.7) + activesupport (= 6.1.4.7) mail (>= 2.7.1) - actionmailer (6.1.4.6) - actionpack (= 6.1.4.6) - actionview (= 6.1.4.6) - activejob (= 6.1.4.6) - activesupport (= 6.1.4.6) + actionmailer (6.1.4.7) + actionpack (= 6.1.4.7) + actionview (= 6.1.4.7) + activejob (= 6.1.4.7) + activesupport (= 6.1.4.7) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (6.1.4.6) - actionview (= 6.1.4.6) - activesupport (= 6.1.4.6) + actionpack (6.1.4.7) + actionview (= 6.1.4.7) + activesupport (= 6.1.4.7) rack (~> 2.0, >= 2.0.9) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (6.1.4.6) - actionpack (= 6.1.4.6) - activerecord (= 6.1.4.6) - activestorage (= 6.1.4.6) - activesupport (= 6.1.4.6) + actiontext (6.1.4.7) + actionpack (= 6.1.4.7) + activerecord (= 6.1.4.7) + activestorage (= 6.1.4.7) + activesupport (= 6.1.4.7) nokogiri (>= 1.8.5) - actionview (6.1.4.6) - activesupport (= 6.1.4.6) + actionview (6.1.4.7) + activesupport (= 6.1.4.7) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (6.1.4.6) - activesupport (= 6.1.4.6) + activejob (6.1.4.7) + activesupport (= 6.1.4.7) globalid (>= 0.3.6) - activemodel (6.1.4.6) - activesupport (= 6.1.4.6) - activerecord (6.1.4.6) - activemodel (= 6.1.4.6) - activesupport (= 6.1.4.6) - activestorage (6.1.4.6) - actionpack (= 6.1.4.6) - activejob (= 6.1.4.6) - activerecord (= 6.1.4.6) - activesupport (= 6.1.4.6) + activemodel (6.1.4.7) + activesupport (= 6.1.4.7) + activerecord (6.1.4.7) + activemodel (= 6.1.4.7) + activesupport (= 6.1.4.7) + activestorage (6.1.4.7) + actionpack (= 6.1.4.7) + activejob (= 6.1.4.7) + activerecord (= 6.1.4.7) + activesupport (= 6.1.4.7) marcel (~> 1.0.0) mini_mime (>= 1.1.0) - activesupport (6.1.4.6) + activesupport (6.1.4.7) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) @@ -313,20 +313,20 @@ GEM rack-test (1.1.0) rack (>= 1.0, < 3) rack-timeout (0.6.0) - rails (6.1.4.6) - actioncable (= 6.1.4.6) - actionmailbox (= 6.1.4.6) - actionmailer (= 6.1.4.6) - actionpack (= 6.1.4.6) - actiontext (= 6.1.4.6) - actionview (= 6.1.4.6) - activejob (= 6.1.4.6) - activemodel (= 6.1.4.6) - activerecord (= 6.1.4.6) - activestorage (= 6.1.4.6) - activesupport (= 6.1.4.6) + rails (6.1.4.7) + actioncable (= 6.1.4.7) + actionmailbox (= 6.1.4.7) + actionmailer (= 6.1.4.7) + actionpack (= 6.1.4.7) + actiontext (= 6.1.4.7) + actionview (= 6.1.4.7) + activejob (= 6.1.4.7) + activemodel (= 6.1.4.7) + activerecord (= 6.1.4.7) + activestorage (= 6.1.4.7) + activesupport (= 6.1.4.7) bundler (>= 1.15.0) - railties (= 6.1.4.6) + railties (= 6.1.4.7) sprockets-rails (>= 2.0.0) rails-controller-testing (1.0.5) actionpack (>= 5.0.1.rc1) @@ -353,9 +353,9 @@ GEM ruby-progressbar rails_serve_static_assets (0.0.5) rails_stdout_logging (0.0.5) - railties (6.1.4.6) - actionpack (= 6.1.4.6) - activesupport (= 6.1.4.6) + railties (6.1.4.7) + actionpack (= 6.1.4.7) + activesupport (= 6.1.4.7) method_source rake (>= 0.13) thor (~> 1.0) @@ -474,13 +474,13 @@ PLATFORMS ruby DEPENDENCIES - actionmailer (= 6.1.4.6) - actionpack (= 6.1.4.6) - actionview (= 6.1.4.6) - activejob (= 6.1.4.6) - activemodel (= 6.1.4.6) - activerecord (= 6.1.4.6) - activesupport (= 6.1.4.6) + actionmailer (= 6.1.4.7) + actionpack (= 6.1.4.7) + actionview (= 6.1.4.7) + activejob (= 6.1.4.7) + activemodel (= 6.1.4.7) + activerecord (= 6.1.4.7) + activesupport (= 6.1.4.7) attr_encrypted (= 3.1.0) awesome_print (= 1.9.2) bcrypt (= 3.1.16) @@ -530,11 +530,11 @@ DEPENDENCIES rack-cors (= 1.1.1) rack-headers_filter (= 0.0.1) rack-timeout (= 0.6.0) - rails (= 6.1.4.6) + rails (= 6.1.4.7) rails-controller-testing (= 1.0.5) rails-i18n (= 6.0.0) rails_12factor (= 0.0.3) - railties (= 6.1.4.6) + railties (= 6.1.4.7) redcarpet (= 3.5.1) rubocop (= 1.0.0) rubocop-performance (= 1.10.2)