Bump Rails and Nokogiri versions to address CVEs

Name: actionview Version: 4.2.6 Advisory: CVE-2016-6316 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk Title: Possible XSS Vulnerability in Action View Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1 Name: activerecord Version: 4.2.6 Advisory: CVE-2016-6317 URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s Title: Unsafe Query Generation Risk in Active Record Solution: upgrade to >= 4.2.7.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2017-9050 URL: sparklemotion/nokogiri#1673 Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Solution: upgrade to >= 1.8.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2016-4658 URL: sparklemotion/nokogiri#1615 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to >= 1.7.1 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2015-8806 URL: sparklemotion/nokogiri#1473 Title: Denial of service or RCE from libxml2 and libxslt Solution: upgrade to >= 1.6.8 Name: nokogiri Version: 1.6.7.2 Advisory: CVE-2017-5029 URL: sparklemotion/nokogiri#1634 Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Solution: upgrade to >= 1.7.2
havenwood · Dec 7, 2017 · d58cc00 · d58cc00
1 parent 6b14812
commit d58cc00
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 60 deletions.
diff --git a/connect-examples/v2/rails_payment/Gemfile b/connect-examples/v2/rails_payment/Gemfile
@@ -3,7 +3,7 @@ source 'https://rubygems.org'
 ruby "2.3.1"
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '4.2.6'
+gem 'rails', '~> 4.2.7'
 
 # Use SCSS for stylesheets
 gem 'sass-rails', '~> 5.0'

diff --git a/connect-examples/v2/rails_payment/Gemfile.lock b/connect-examples/v2/rails_payment/Gemfile.lock
@@ -1,45 +1,44 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (4.2.6)
-      actionpack (= 4.2.6)
-      actionview (= 4.2.6)
-      activejob (= 4.2.6)
+    actionmailer (4.2.10)
+      actionpack (= 4.2.10)
+      actionview (= 4.2.10)
+      activejob (= 4.2.10)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.6)
-      actionview (= 4.2.6)
-      activesupport (= 4.2.6)
+    actionpack (4.2.10)
+      actionview (= 4.2.10)
+      activesupport (= 4.2.10)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.6)
-      activesupport (= 4.2.6)
+    actionview (4.2.10)
+      activesupport (= 4.2.10)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    activejob (4.2.6)
-      activesupport (= 4.2.6)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (4.2.10)
+      activesupport (= 4.2.10)
       globalid (>= 0.3.0)
-    activemodel (4.2.6)
-      activesupport (= 4.2.6)
+    activemodel (4.2.10)
+      activesupport (= 4.2.10)
       builder (~> 3.1)
-    activerecord (4.2.6)
-      activemodel (= 4.2.6)
-      activesupport (= 4.2.6)
+    activerecord (4.2.10)
+      activemodel (= 4.2.10)
+      activesupport (= 4.2.10)
       arel (~> 6.0)
-    activesupport (4.2.6)
+    activesupport (4.2.10)
       i18n (~> 0.7)
-      json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    arel (6.0.3)
+    arel (6.0.4)
     binding_of_caller (0.7.2)
       debug_inspector (>= 0.0.1)
-    builder (3.2.2)
+    builder (3.2.3)
     byebug (8.2.2)
     coffee-rails (4.1.1)
       coffee-script (>= 2.2.0)
@@ -48,7 +47,8 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.10.0)
-    concurrent-ruby (1.0.1)
+    concurrent-ruby (1.0.5)
+    crass (1.0.3)
     daemons (1.2.4)
     debug_inspector (0.0.2)
     dotenv (2.1.0)
@@ -63,9 +63,10 @@ GEM
     ffi (1.9.18)
     foreman (0.84.0)
       thor (~> 0.19.1)
-    globalid (0.3.6)
-      activesupport (>= 4.1.0)
-    i18n (0.7.0)
+    globalid (0.4.1)
+      activesupport (>= 4.2.0)
+    i18n (0.9.1)
+      concurrent-ruby (~> 1.0)
     jbuilder (2.4.1)
       activesupport (>= 3.0.0, < 5.1)
       multi_json (~> 1.2)
@@ -74,10 +75,11 @@ GEM
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
     json (1.8.6)
-    loofah (2.0.3)
+    loofah (2.1.1)
+      crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.6.4)
-      mime-types (>= 1.16, < 4)
+    mail (2.7.0)
+      mini_mime (>= 0.1.1)
     mailcatcher (0.6.5)
       eventmachine (= 1.0.9.1)
       mail (~> 2.3)
@@ -86,35 +88,33 @@ GEM
       skinny (~> 0.2.3)
       sqlite3 (~> 1.3)
       thin (~> 1.5.0)
-    mime-types (3.0)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0221)
-    mini_portile2 (2.0.0)
-    minitest (5.8.4)
+    mini_mime (1.0.0)
+    mini_portile2 (2.3.0)
+    minitest (5.10.3)
     multi_json (1.11.2)
-    nokogiri (1.6.7.2)
-      mini_portile2 (~> 2.0.0.rc2)
-    rack (1.6.4)
+    nokogiri (1.8.1)
+      mini_portile2 (~> 2.3.0)
+    rack (1.6.8)
     rack-protection (1.5.3)
       rack
     rack-test (0.6.3)
       rack (>= 1.0)
-    rails (4.2.6)
-      actionmailer (= 4.2.6)
-      actionpack (= 4.2.6)
-      actionview (= 4.2.6)
-      activejob (= 4.2.6)
-      activemodel (= 4.2.6)
-      activerecord (= 4.2.6)
-      activesupport (= 4.2.6)
+    rails (4.2.10)
+      actionmailer (= 4.2.10)
+      actionpack (= 4.2.10)
+      actionview (= 4.2.10)
+      activejob (= 4.2.10)
+      activemodel (= 4.2.10)
+      activerecord (= 4.2.10)
+      activesupport (= 4.2.10)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.6)
+      railties (= 4.2.10)
       sprockets-rails
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.7)
+    rails-dom-testing (1.0.8)
       activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
+      nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
     rails-html-sanitizer (1.0.3)
       loofah (~> 2.0)
@@ -123,12 +123,12 @@ GEM
       rails_stdout_logging
     rails_serve_static_assets (0.0.5)
     rails_stdout_logging (0.0.5)
-    railties (4.2.6)
-      actionpack (= 4.2.6)
-      activesupport (= 4.2.6)
+    railties (4.2.10)
+      actionpack (= 4.2.10)
+      activesupport (= 4.2.10)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (11.1.1)
+    rake (12.3.0)
     rdoc (4.2.2)
       json (~> 1.4)
     sass (3.4.21)
@@ -149,10 +149,10 @@ GEM
       eventmachine (~> 1.0.0)
       thin (>= 1.5, < 1.7)
     spring (1.6.4)
-    sprockets (3.5.2)
+    sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.0.4)
+    sprockets-rails (3.2.1)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
@@ -164,14 +164,14 @@ GEM
       daemons (>= 1.0.9)
       eventmachine (>= 0.12.6)
       rack (>= 1.0.0)
-    thor (0.19.1)
-    thread_safe (0.3.5)
+    thor (0.19.4)
+    thread_safe (0.3.6)
     tilt (2.0.2)
     turbolinks (2.5.3)
       coffee-rails
     typhoeus (1.1.2)
       ethon (>= 0.9.0)
-    tzinfo (1.2.2)
+    tzinfo (1.2.4)
       thread_safe (~> 0.1)
     uglifier (3.0.0)
       execjs (>= 0.3.0, < 3)
@@ -192,7 +192,7 @@ DEPENDENCIES
   jbuilder (~> 2.0)
   jquery-rails
   mailcatcher (~> 0.6)
-  rails (= 4.2.6)
+  rails (~> 4.2.7)
   rails_12factor
   sass-rails (~> 5.0)
   sdoc (~> 0.4.0)
@@ -206,4 +206,4 @@ RUBY VERSION
    ruby 2.3.1p112
 
 BUNDLED WITH
-   1.14.6
+   1.16.0
diff --git a/connect-examples/v2/rails_payment/README.md b/connect-examples/v2/rails_payment/README.md
@@ -4,7 +4,7 @@ The root page has the selections for the different implemetations.
 
 Ruby version: 2.3.1
 
-Rails version: 4.2.6
+Rails version: 4.2.7
 
 To get the app running: