Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update gems to fix all the CVEs #96

Merged
merged 6 commits into from
Oct 10, 2020
Merged

Update gems to fix all the CVEs #96

merged 6 commits into from
Oct 10, 2020

Commits on Oct 10, 2020

  1. Update rails based on CVE 

    Name: actionpack
Version: 5.2.1
Advisory: CVE-2020-8166
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.2.1
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-15169
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-5267
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-8167
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: activejob
Version: 5.2.1
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2018-16477
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
Title: Bypass vulnerability in Active Storage
Solution: upgrade to >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2020-8162
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
Title: Circumvention of file size limits in ActiveStorage
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: activesupport
Version: 5.2.1
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1
    @AdrianCann
    AdrianCann committed Oct 10, 2020
    Configuration menu
    Copy the full SHA
    f30e3a5 View commit details
    Browse the repository at this point in the history

  2. Update jquery-rails for CVE 

    ruby-advisory-db: 472 advisories
Name: jquery-rails
Version: 4.3.3
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4
    @AdrianCann
    AdrianCann committed Oct 10, 2020
    Configuration menu
    Copy the full SHA
    ebacc73 View commit details
    Browse the repository at this point in the history

  3. Update json gem for CVE 

    Name: json
Version: 2.0.2
Advisory: CVE-2020-10663
Criticality: Unknown
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Solution: upgrade to >= 2.3.0
    @AdrianCann
    AdrianCann committed Oct 10, 2020
    Configuration menu
    Copy the full SHA
    26f6685 View commit details
    Browse the repository at this point in the history

  4. Update puma gem 

    Name: puma
Version: 3.11.4
Advisory: CVE-2019-16770
Criticality: High
URL: GHSA-7xx3-m584-x994
Title: Keepalive thread overload/DoS in puma
Solution: upgrade to ~> 3.12.2, >= 4.3.1
    @AdrianCann
    AdrianCann committed Oct 10, 2020
    Configuration menu
    Copy the full SHA
    923cfba View commit details
    Browse the repository at this point in the history

  5. Update rubyzip gem for CVE 

    ruby-advisory-db: 472 advisories
Name: rubyzip
Version: 1.2.2
Advisory: CVE-2019-16892
Criticality: Unknown
URL: rubyzip/rubyzip#403
Title: Denial of Service in rubyzip ("zip bombs")
Solution: upgrade to >= 1.3.0
    @AdrianCann
    AdrianCann committed Oct 10, 2020
    Configuration menu
    Copy the full SHA
    1d640fc View commit details
    Browse the repository at this point in the history

  6. Update simple_form to fix CVE 

    Name: simple_form
Version: 4.0.1
Advisory: CVE-2019-16676
Criticality: Unknown
URL: GHSA-r74q-gxcg-73hx
Title: simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Solution: upgrade to >= 5.0
    @AdrianCann
    AdrianCann committed Oct 10, 2020
    Configuration menu
    Copy the full SHA
    8c7e733 View commit details
    Browse the repository at this point in the history