update dependencies for multiple CVEs

$ bundle exec bundle-audit check Name: actionview Version: 5.2.1 Advisory: CVE-2019-5419 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11 Name: actionview Version: 5.2.1 Advisory: CVE-2019-5418 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3 Name: activejob Version: 5.2.1 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activestorage Version: 5.2.1 Advisory: CVE-2018-16477 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg Title: Bypass vulnerability in Active Storage Solution: upgrade to >= 5.2.1.1 Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: railties Version: 5.2.1 Advisory: CVE-2019-5420 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw Title: Possible Remote Code Execution Exploit in Rails Development Mode Solution: upgrade to >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3 Vulnerabilities found!
alexdean · Jun 25, 2019 · dc656df · dc656df
1 parent 365c54b
commit dc656df
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 59 deletions.
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-2.5.0
+2.5.5
diff --git a/Gemfile b/Gemfile
@@ -1,11 +1,11 @@
 source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
-ruby '2.5.0'
+ruby '2.5.5'
 
 gem 'jquery-rails'
 gem 'puma', '~> 3.11'
-gem 'rails', '~> 5.2.1'
+gem 'rails', '~> 5.2.0'
 gem 'redis'
 gem 'sass-rails', '~> 5.0'
 gem 'uglifier', '>= 1.3.0'
@@ -14,6 +14,7 @@ gem 'webpacker'
 
 group :development, :test do
   gem 'byebug'
+  gem 'bundler-audit'
 end
 
 group :development do

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,59 +1,62 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.1)
-      actionpack (= 5.2.1)
+    actioncable (5.2.3)
+      actionpack (= 5.2.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.1)
-      actionpack (= 5.2.1)
-      actionview (= 5.2.1)
-      activejob (= 5.2.1)
+    actionmailer (5.2.3)
+      actionpack (= 5.2.3)
+      actionview (= 5.2.3)
+      activejob (= 5.2.3)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.1)
-      actionview (= 5.2.1)
-      activesupport (= 5.2.1)
+    actionpack (5.2.3)
+      actionview (= 5.2.3)
+      activesupport (= 5.2.3)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.1)
-      activesupport (= 5.2.1)
+    actionview (5.2.3)
+      activesupport (= 5.2.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.1)
-      activesupport (= 5.2.1)
+    activejob (5.2.3)
+      activesupport (= 5.2.3)
       globalid (>= 0.3.6)
-    activemodel (5.2.1)
-      activesupport (= 5.2.1)
-    activerecord (5.2.1)
-      activemodel (= 5.2.1)
-      activesupport (= 5.2.1)
+    activemodel (5.2.3)
+      activesupport (= 5.2.3)
+    activerecord (5.2.3)
+      activemodel (= 5.2.3)
+      activesupport (= 5.2.3)
       arel (>= 9.0)
-    activestorage (5.2.1)
-      actionpack (= 5.2.1)
-      activerecord (= 5.2.1)
+    activestorage (5.2.3)
+      actionpack (= 5.2.3)
+      activerecord (= 5.2.3)
       marcel (~> 0.3.1)
-    activesupport (5.2.1)
+    activesupport (5.2.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
     builder (3.2.3)
+    bundler-audit (0.6.1)
+      bundler (>= 1.2.0, < 3)
+      thor (~> 0.18)
     byebug (10.0.2)
     coderay (1.1.2)
-    concurrent-ruby (1.0.5)
+    concurrent-ruby (1.1.5)
     crass (1.0.4)
     diff-lcs (1.3)
-    erubi (1.7.1)
+    erubi (1.8.0)
     execjs (2.7.0)
     ffi (1.9.25)
     formatador (0.2.5)
-    globalid (0.4.1)
+    globalid (0.4.2)
       activesupport (>= 4.2.0)
     guard (2.14.2)
       formatador (>= 0.2.4)
@@ -68,7 +71,7 @@ GEM
     guard-rails (0.8.1)
       guard (~> 2.11)
       guard-compat (~> 1.0)
-    i18n (1.1.0)
+    i18n (1.6.0)
       concurrent-ruby (~> 1.0)
     jquery-rails (4.3.3)
       rails-dom-testing (>= 1, < 3)
@@ -78,62 +81,62 @@ GEM
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
       ruby_dep (~> 1.2)
-    loofah (2.2.2)
+    loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     lumberjack (1.0.13)
     macaddr (1.7.1)
       systemu (~> 2.6.2)
-    mail (2.7.0)
+    mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.2)
+    marcel (0.3.3)
       mimemagic (~> 0.3.2)
-    method_source (0.9.0)
-    mimemagic (0.3.2)
+    method_source (0.9.2)
+    mimemagic (0.3.3)
     mini_mime (1.0.1)
-    mini_portile2 (2.3.0)
+    mini_portile2 (2.4.0)
     minitest (5.11.3)
     nenv (0.3.0)
     nio4r (2.3.1)
-    nokogiri (1.8.4)
-      mini_portile2 (~> 2.3.0)
+    nokogiri (1.10.3)
+      mini_portile2 (~> 2.4.0)
     notiffany (0.1.1)
       nenv (~> 0.1)
       shellany (~> 0.0)
     pry (0.11.3)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
     puma (3.12.0)
-    rack (2.0.5)
+    rack (2.0.7)
     rack-proxy (0.6.4)
       rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.1)
-      actioncable (= 5.2.1)
-      actionmailer (= 5.2.1)
-      actionpack (= 5.2.1)
-      actionview (= 5.2.1)
-      activejob (= 5.2.1)
-      activemodel (= 5.2.1)
-      activerecord (= 5.2.1)
-      activestorage (= 5.2.1)
-      activesupport (= 5.2.1)
+    rails (5.2.3)
+      actioncable (= 5.2.3)
+      actionmailer (= 5.2.3)
+      actionpack (= 5.2.3)
+      actionview (= 5.2.3)
+      activejob (= 5.2.3)
+      activemodel (= 5.2.3)
+      activerecord (= 5.2.3)
+      activestorage (= 5.2.3)
+      activesupport (= 5.2.3)
       bundler (>= 1.3.0)
-      railties (= 5.2.1)
+      railties (= 5.2.3)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.0.4)
       loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.1)
-      actionpack (= 5.2.1)
-      activesupport (= 5.2.1)
+    railties (5.2.3)
+      actionpack (= 5.2.3)
+      activesupport (= 5.2.3)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)
-    rake (12.3.1)
+    rake (12.3.2)
     rb-fsevent (0.10.3)
     rb-inotify (0.9.10)
       ffi (>= 0.5.0, < 2)
@@ -180,7 +183,7 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     systemu (2.6.5)
-    thor (0.20.0)
+    thor (0.20.3)
     thread_safe (0.3.6)
     tilt (2.0.8)
     tzinfo (1.2.5)
@@ -193,20 +196,21 @@ GEM
       activesupport (>= 4.2)
       rack-proxy (>= 0.6.1)
       railties (>= 4.2)
-    websocket-driver (0.7.0)
+    websocket-driver (0.7.1)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.3)
+    websocket-extensions (0.1.4)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
+  bundler-audit
   byebug
   guard
   guard-rails
   jquery-rails
   puma (~> 3.11)
-  rails (~> 5.2.1)
+  rails (~> 5.2.0)
   redis
   rspec
   rspec-rails
@@ -216,7 +220,7 @@ DEPENDENCIES
   webpacker
 
 RUBY VERSION
-   ruby 2.5.0p0
+   ruby 2.5.5p157
 
 BUNDLED WITH
-   1.16.1
+   1.17.3