From 2b622c7e6a48738fe188d06744b8f8996c8da687 Mon Sep 17 00:00:00 2001 From: Rob Brackett Date: Wed, 13 Mar 2019 15:13:36 -0700 Subject: [PATCH] Security: Upgrade Rails to 5.2.2.1 (#504) This fixes several vulnerabilities: - CVE-2019-5418 File Content Disclosure in Action View - CVE-2019-5419 Denial of Service Vulnerability in Action View - CVE-2019-5420 Possible Remote Code Execution Exploit in Rails Development Mode For more info, see the release notes: https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/ --- Gemfile | 2 +- Gemfile.lock | 103 ++++++++++++++++++++++++++------------------------- 2 files changed, 53 insertions(+), 52 deletions(-) diff --git a/Gemfile b/Gemfile index 3d43fac2..47144392 100644 --- a/Gemfile +++ b/Gemfile @@ -11,7 +11,7 @@ gem 'aws-sdk-s3', '~> 1.30' gem 'devise' gem 'httparty' gem 'jwt', '~> 2.1' -gem 'rails', '~> 5.2.2' +gem 'rails', '~> 5.2.2.1' gem 'pg', '~> 1.1' gem 'puma', '~> 3.12' gem 'rack-cors', :require => 'rack/cors' diff --git a/Gemfile.lock b/Gemfile.lock index 6ae7d12b..1117dad0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,43 +1,43 @@ GEM remote: https://rubygems.org/ specs: - actioncable (5.2.2) - actionpack (= 5.2.2) + actioncable (5.2.2.1) + actionpack (= 5.2.2.1) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailer (5.2.2) - actionpack (= 5.2.2) - actionview (= 5.2.2) - activejob (= 5.2.2) + actionmailer (5.2.2.1) + actionpack (= 5.2.2.1) + actionview (= 5.2.2.1) + activejob (= 5.2.2.1) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.2.2) - actionview (= 5.2.2) - activesupport (= 5.2.2) + actionpack (5.2.2.1) + actionview (= 5.2.2.1) + activesupport (= 5.2.2.1) rack (~> 2.0) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.2.2) - activesupport (= 5.2.2) + actionview (5.2.2.1) + activesupport (= 5.2.2.1) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.3) - activejob (5.2.2) - activesupport (= 5.2.2) + activejob (5.2.2.1) + activesupport (= 5.2.2.1) globalid (>= 0.3.6) - activemodel (5.2.2) - activesupport (= 5.2.2) - activerecord (5.2.2) - activemodel (= 5.2.2) - activesupport (= 5.2.2) + activemodel (5.2.2.1) + activesupport (= 5.2.2.1) + activerecord (5.2.2.1) + activemodel (= 5.2.2.1) + activesupport (= 5.2.2.1) arel (>= 9.0) - activestorage (5.2.2) - actionpack (= 5.2.2) - activerecord (= 5.2.2) + activestorage (5.2.2.1) + actionpack (= 5.2.2.1) + activerecord (= 5.2.2.1) marcel (~> 0.3.1) - activesupport (5.2.2) + activesupport (5.2.2.1) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) @@ -46,9 +46,9 @@ GEM public_suffix (>= 2.0.2, < 4.0) arel (9.0.0) ast (2.4.0) - aws-eventstream (1.0.1) - aws-partitions (1.136.0) - aws-sdk-core (3.46.0) + aws-eventstream (1.0.2) + aws-partitions (1.144.0) + aws-sdk-core (3.46.2) aws-eventstream (~> 1.0) aws-partitions (~> 1.0) aws-sigv4 (~> 1.0) @@ -56,11 +56,12 @@ GEM aws-sdk-kms (1.13.0) aws-sdk-core (~> 3, >= 3.39.0) aws-sigv4 (~> 1.0) - aws-sdk-s3 (1.30.1) + aws-sdk-s3 (1.31.0) aws-sdk-core (~> 3, >= 3.39.0) aws-sdk-kms (~> 1) aws-sigv4 (~> 1.0) - aws-sigv4 (1.0.3) + aws-sigv4 (1.1.0) + aws-eventstream (~> 1.0, >= 1.0.2) bcrypt (3.1.12) bindex (0.5.0) bootsnap (1.4.1) @@ -68,7 +69,7 @@ GEM builder (3.2.3) byebug (11.0.0) coderay (1.1.2) - concurrent-ruby (1.1.4) + concurrent-ruby (1.1.5) connection_pool (2.2.2) crack (0.4.3) safe_yaml (~> 1.0.0) @@ -89,7 +90,7 @@ GEM execjs (2.7.0) faraday (0.15.4) multipart-post (>= 1.2, < 3) - ffi (1.9.25) + ffi (1.10.0) globalid (0.4.2) activesupport (>= 4.2.0) google-api-client (0.28.4) @@ -113,11 +114,11 @@ GEM mime-types (~> 3.0) multi_xml (>= 0.5.2) httpclient (2.8.3) - i18n (1.5.3) + i18n (1.6.0) concurrent-ruby (~> 1.0) jaro_winkler (1.5.2) jmespath (1.4.0) - json (2.1.0) + json (2.2.0) jwt (2.1.0) listen (3.1.5) rb-fsevent (~> 0.9, >= 0.9.4) @@ -140,7 +141,7 @@ GEM mini_portile2 (2.4.0) minitest (5.11.3) mono_logger (1.1.0) - msgpack (1.2.7) + msgpack (1.2.9) multi_json (1.13.1) multi_xml (0.6.0) multipart-post (2.0.0) @@ -175,35 +176,35 @@ GEM rack rack-test (1.1.0) rack (>= 1.0, < 3) - rails (5.2.2) - actioncable (= 5.2.2) - actionmailer (= 5.2.2) - actionpack (= 5.2.2) - actionview (= 5.2.2) - activejob (= 5.2.2) - activemodel (= 5.2.2) - activerecord (= 5.2.2) - activestorage (= 5.2.2) - activesupport (= 5.2.2) + rails (5.2.2.1) + actioncable (= 5.2.2.1) + actionmailer (= 5.2.2.1) + actionpack (= 5.2.2.1) + actionview (= 5.2.2.1) + activejob (= 5.2.2.1) + activemodel (= 5.2.2.1) + activerecord (= 5.2.2.1) + activestorage (= 5.2.2.1) + activesupport (= 5.2.2.1) bundler (>= 1.3.0) - railties (= 5.2.2) + railties (= 5.2.2.1) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) rails-html-sanitizer (1.0.4) loofah (~> 2.2, >= 2.2.2) - railties (5.2.2) - actionpack (= 5.2.2) - activesupport (= 5.2.2) + railties (5.2.2.1) + actionpack (= 5.2.2.1) + activesupport (= 5.2.2.1) method_source rake (>= 0.8.7) thor (>= 0.19.0, < 2.0) rainbow (3.0.0) rake (12.3.2) rb-fsevent (0.10.3) - rb-inotify (0.9.10) - ffi (>= 0.5.0, < 2) + rb-inotify (0.10.0) + ffi (~> 1.0) readthis (2.2.0) connection_pool (~> 2.1) redis (>= 3.0, < 5.0) @@ -237,8 +238,8 @@ GEM unicode-display_width (~> 1.4.0) ruby-progressbar (1.10.0) ruby_dep (1.5.0) - safe_yaml (1.0.4) - sass (3.5.7) + safe_yaml (1.0.5) + sass (3.7.3) sass-listen (~> 4.0.0) sass-listen (4.0.0) rb-fsevent (~> 0.9, >= 0.9.4) @@ -320,7 +321,7 @@ DEPENDENCIES pry-rails puma (~> 3.12) rack-cors - rails (~> 5.2.2) + rails (~> 5.2.2.1) readthis resque resque-heroku-signals