Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

๐Ÿšจ [security] Update activesupport 7.0.4.3 โ†’ 7.1.3.2 (minor) #3274

Closed
wants to merge 1 commit into from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Mar 4, 2024


๐Ÿšจ Your current dependencies have known security vulnerabilities ๐Ÿšจ

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

โ†—๏ธ activesupport (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Possible File Disclosure of Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary fileโ€™s permissions are defaulted to the userโ€™s current umask settings, meaning that itโ€™s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077
Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โœณ๏ธ active_model_serializers (0.10.13 โ†’ 0.10.14) ยท Repo ยท Changelog

Commits

See the full diff on Github. The new version differs by 7 commits:

โœณ๏ธ awesome_nested_set (3.5.0 โ†’ 3.6.0) ยท Repo ยท Changelog

Release Notes

3.6.0 (from changelog)

* Support Rails 7.1 [Harshal Bhakta](https://github.com/harshalbhakta)
* Improve ImpossibleMove error message [AlejandroFernandesAntunes](https://github.com/AlejandroFernandesAntunes)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

โœณ๏ธ rails (7.0.4.3 โ†’ 7.1.3.2) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ actioncable (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ actionmailbox (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

โ†—๏ธ actionmailer (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ actionpack (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(translate, t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected: All. Not affected: None Fixed Versions: 7.1.3.1, 7.0.8.1

Impact

Applications using translation methods like translate, or t on a
controller, with a key ending in โ€œ_htmlโ€, a :default key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

class ArticlesController < ApplicationController
  def show
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end

To reiterate the pre-conditions, applications must:

  • Use a translation function from a controller (i.e. not I18n.t, or
    t from a view)
  • Use a key that ends in _html
  • Use a default value where the default value is untrusted and unescaped input
  • Send the text to the victim (whether thatโ€™s part of a template, or a
    render call)

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

๐Ÿšจ Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage.
By default, Active Storage sends a Set-Cookie header along with the userโ€™s
session cookie when serving blobs. It also sets Cache-Control to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7

Impact

A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attackerโ€™s session or vice
versa.

This was patched in 7.1.0 but not previously identified as a security
vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.

๐Ÿšจ Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(translate, t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected: All. Not affected: None Fixed Versions: 7.1.3.1, 7.0.8.1

Impact

Applications using translation methods like translate, or t on a
controller, with a key ending in โ€œ_htmlโ€, a :default key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

class ArticlesController < ApplicationController
  def show
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end

To reiterate the pre-conditions, applications must:

  • Use a translation function from a controller (i.e. not I18n.t, or
    t from a view)
  • Use a key that ends in _html
  • Use a default value where the default value is untrusted and unescaped input
  • Send the text to the victim (whether thatโ€™s part of a template, or a
    render call)

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

๐Ÿšจ Possible ReDoS vulnerability in Accept header parsing in Action Dispatch

There is a possible ReDoS vulnerability in the Accept header parsing routines
of Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2024-26142.

Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1

Impact

Carefully crafted Accept headers can cause Accept header parsing in
Action Dispatch to take an unexpected amount of time, possibly resulting in a
DoS vulnerability. All users running an affected release should either upgrade
or use one of the workarounds immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using
Ruby 3.2 or newer are unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

๐Ÿšจ Possible XSS via User Supplied Values to redirect_to

The redirect_to method in Rails allows provided values to contain characters
which are not legal in an HTTP header value. This results in the potential for
downstream services which enforce RFC compliance on HTTP response headers to
remove the assigned Location header. This vulnerability has been assigned the
CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

Impact

This introduces the potential for a Cross-site-scripting (XSS) payload to be
delivered on the now static redirection page. Note that this both requires
user interaction and for a Rails app to be configured to allow redirects to
external hosts (defaults to false in Rails >= 7.0.x).

Releases

The FIXED releases are available at the normal locations.

Workarounds

Avoid providing user supplied URLs with arbitrary schemes to the redirect_to
method.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ actiontext (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ actionview (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ activejob (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ activemodel (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ activerecord (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ activestorage (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage.
By default, Active Storage sends a Set-Cookie header along with the userโ€™s
session cookie when serving blobs. It also sets Cache-Control to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7

Impact

A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attackerโ€™s session or vice
versa.

This was patched in 7.1.0 but not previously identified as a security
vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ rails-dom-testing (indirect, 2.0.3 โ†’ 2.2.0) ยท Repo ยท Changelog

Release Notes

2.2.0

What's Changed

New Contributors

Full Changelog: v2.1.1...v2.2.0

2.1.1

What's Changed

  • Fix issue when application isn't using minitest.

Full Changelog: v2.1.0...v2.1.1

2.1.0

What's Changed

  • Address warning: mismatched indentations at 'when' with 'case' by @yahonda in #74
  • Make assert_dom_equal ignore insignificant whitespace when walking the node tree by @jduff in #84
  • Expand Substitution Matching Types support by @seanpdoyle in #90
  • Alias assert_select methods to assert_dom versions by @seanpdoyle in #93
  • Raise an error if the last arg is the wrong format by @ghiculescu in #96
  • Fix replacement for multiple substitutions by @speckins in #76
  • Better error message if response.body is blank or not parseable by Nokogiri by @ghiculescu in #97
  • selector_assertions/html_selector: No trailing . on content_mismatch by @issyl0 in #102
  • Use Minitest::Assertion#diff for content failure messages by @flavorjones in #106

New Contributors

Full Changelog: v2.0.3...v2.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ rails-html-sanitizer (indirect, 1.5.0 โ†’ 1.6.0) ยท Repo ยท Changelog

Release Notes

1.6.0

1.6.0 / 2023-05-26

  • Dependencies have been updated:

    • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
    • As a result, required Ruby version is now >= 2.7.0

    Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1
    (which supports Ruby 2.5) is still in security support.

    Mike Dalessio

  • HTML5 standards-compliant sanitizers are now available on platforms supported by
    Nokogiri::HTML5. These are available as:

    • Rails::HTML5::FullSanitizer
    • Rails::HTML5::LinkSanitizer
    • Rails::HTML5::SafeListSanitizer

    And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version
    of Rails.

    Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical
    to the vendor class methods on Rails::HTML::Sanitizer.

    Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's
    supported, else the legacy HTML4 vendor.

    Mike Dalessio

  • Module namespaces have changed, but backwards compatibility is provided by aliases.

    The library defines three additional modules:

    • Rails::HTML for general functionality (replacing Rails::Html)
    • Rails::HTML4 containing sanitizers that parse content as HTML4
    • Rails::HTML5 containing sanitizers that parse content as HTML5

    The following aliases are maintained for backwards compatibility:

    • Rails::Html points to Rails::HTML
    • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
    • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
    • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

    Mike Dalessio

  • LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer
    already ensured this encoding.

    Mike Dalessio

  • SafeListSanitizer allows time tag and lang attribute by default.

    Mike Dalessio

  • The constant Rails::Html::XPATHS_TO_REMOVE has been removed. It's not necessary with the
    existing sanitizers, and should have been a private constant all along anyway.

    Mike Dalessio

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 57 commits:

โ†—๏ธ railties (indirect, 7.0.4.3 โ†’ 7.1.3.2) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ timeout (indirect, 0.3.2 โ†’ 0.4.1) ยท Repo

Release Notes

0.4.1

What's Changed

  • require ruby version in gemspec by @jjb in #35
  • test that work is done in the same thread/fiber as the caller by @jjb in #34
  • Require Ruby >= 2.6 for the timeout gem by @eregon in #37
  • nested exception tests for discussion by @jjb in #39
  • tests for blank seconds by @jjb in #40

Full Changelog: v0.4.0...v0.4.1

0.4.0

What's Changed

  • Update test libraries from ruby/ruby 2023-03-24 by @hsbt in #29
  • Use released version of test-unit-ruby-core by @nobu in #31
  • Raise exception instead of throw/catch for timeouts by @jeremyevans in #30

Full Changelog: v0.3.2...v0.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

๐Ÿ†• base64 (added, 0.2.0)

๐Ÿ†• bigdecimal (added, 3.1.6)

๐Ÿ†• connection_pool (added, 2.4.1)

๐Ÿ†• drb (added, 2.2.1)

๐Ÿ†• io-console (added, 0.7.2)

๐Ÿ†• irb (added, 1.11.2)

๐Ÿ†• mutex_m (added, 0.2.0)

๐Ÿ†• psych (added, 5.1.2)

๐Ÿ†• rack-session (added, 1.0.2)

๐Ÿ†• rackup (added, 1.0.0)

๐Ÿ†• rdoc (added, 6.6.2)

๐Ÿ†• reline (added, 0.4.3)

๐Ÿ†• stringio (added, 3.1.0)

๐Ÿ†• webrick (added, 1.8.1)

๐Ÿ—‘๏ธ method_source (removed)


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@โ€‹depfu rebase
Rebases against your default branch and redoes this update
@โ€‹depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@โ€‹depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@โ€‹depfu cancel merge
Cancels automatic merging of this PR
@โ€‹depfu close
Closes this PR and deletes the branch
@โ€‹depfu reopen
Restores the branch and reopens this PR (if it's closed)
@โ€‹depfu pause
Ignores all future updates for this dependency and closes this PR
@โ€‹depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@โ€‹depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added depfu Automatic PRs to update gems security labels Mar 4, 2024
@hennevogel
Copy link
Member

Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7

We are on Rails 7.0 for now

@hennevogel hennevogel closed this Mar 5, 2024
@depfu depfu bot deleted the depfu/update/activesupport-7.1.3.2 branch March 5, 2024 13:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
depfu Automatic PRs to update gems security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant