Skip to content

Commit

Permalink
Update Rails to fix security vulnerabilities
Browse files Browse the repository at this point in the history 
## Problem

`bundle-audit` reported some vulnerabilities:

```
ruby-advisory-db: 273 advisories
Name: actionpack
Version: 4.2.5
Advisory: CVE-2015-7576
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Title: Timing attack vulnerability in basic authentication in Action Controller.
Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Name: actionpack
Version: 4.2.5
Advisory: CVE-2015-7581
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
Title: Object leak vulnerability for wildcard controller routes in Action Pack
Solution: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Name: actionpack
Version: 4.2.5
Advisory: CVE-2016-0751
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Title: Possible Object Leak and Denial of Service attack in Action Pack
Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Name: actionpack
Version: 4.2.5
Advisory: CVE-2016-2098
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
Title: Possible remote code execution vulnerability in Action Pack
Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14

Name: actionview
Version: 4.2.5
Advisory: CVE-2016-0752
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Title: Possible Information Leak Vulnerability in Action View
Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Name: actionview
Version: 4.2.5
Advisory: CVE-2016-6316
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Title: Possible XSS Vulnerability in Action View
Solution: upgrade to ~> 3.2.22.3, ~> 4.2.7.1, >= 5.0.0.1

Name: activemodel
Version: 4.2.5
Advisory: CVE-2016-0753
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ
Title: Possible Input Validation Circumvention in Active Model
Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Name: activerecord
Version: 4.2.5
Advisory: CVE-2015-7577
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Title: Nested attributes rejection proc bypass in Active Record
Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Name: activerecord
Version: 4.2.5
Advisory: CVE-2016-6317
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
Title: Unsafe Query Generation Risk in Active Record
Solution: upgrade to ~> 4.2.7.1

Name: nokogiri
Version: 1.6.7
Advisory: CVE-2015-5312
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
Title: Nokogiri gem contains several vulnerabilities in libxml2
Solution: upgrade to >= 1.6.7.1

Name: nokogiri
Version: 1.6.7
Advisory: CVE-2015-7499
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2
Solution: upgrade to >= 1.6.7.2

Name: nokogiri
Version: 1.6.7
Advisory: CVE-2015-8806
Criticality: Unknown
URL: sparklemotion/nokogiri#1473
Title: Denial of service or RCE from libxml2 and libxslt
Solution: upgrade to >= 1.6.8

Name: rails-html-sanitizer
Version: 1.0.2
Advisory: CVE-2015-7578
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI
Title: Possible XSS vulnerability in rails-html-sanitizer
Solution: upgrade to ~> 1.0.3

Name: rails-html-sanitizer
Version: 1.0.2
Advisory: CVE-2015-7580
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI
Title: Possible XSS vulnerability in rails-html-sanitizer
Solution: upgrade to ~> 1.0.3

Vulnerabilities found!
```

## Solution

Update Rails to version 5, along with associated gems.
  • Loading branch information
@c-lliope
c-lliope committed Sep 5, 2016
1 parent 0aef434 commit fc633ce
Show file tree
Hide file tree
Showing 2 changed files with 166 additions and 160 deletions.
5 changes: 2 additions & 3 deletions Gemfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ gem "normalize-rails", "~> 3.0.0"
gem "pg"
gem "puma"
gem "rack-canonical-host"
gem "rails", "~> 4.2.0"
gem "rails", "~> 5.0"
gem "recipient_interceptor"
gem "rubyzip"
gem "sass-rails", "~> 5.0"
Expand All @@ -26,7 +26,6 @@ gem "title"
gem "uglifier"

group :development do
gem "quiet_assets"
gem "refills"
gem "spring"
gem "spring-commands-rspec"
Expand All @@ -42,7 +41,7 @@ group :development, :test do
gem "factory_girl_rails"
gem "i18n-tasks"
gem "pry-rails"
gem "rspec-rails", "~> 3.3.0"
gem "rspec-rails", "~> 3.5"
end

group :test do
Expand Down
Loading

0 comments on commit fc633ce

Please sign in to comment.