Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade rails from 7.1.3 to 7.1.4 to resolve CVEs #640

Merged
merged 1 commit into from
Oct 18, 2024
Merged

upgrade rails from 7.1.3 to 7.1.4 to resolve CVEs #640

merged 1 commit into from
Oct 18, 2024

Conversation

lfilmeyer
Copy link
Contributor

Upgrading to Rails 7.1.4 to resolve the following:

Run bundle exec bundler-audit
  bundle exec bundler-audit
  bundle exec brakeman -q -w[2](https://github.com/codeforboston/urban-league-heat-pump-accelerator/actions/runs/11406370623/job/31739977380?pr=639#step:6:2)
  shell: /usr/bin/bash -e {0}
  env:
    RAILS_ENV: test
    BUNDLE_GEMFILE: /home/runner/work/urban-league-heat-pump-accelerator/urban-league-heat-pump-accelerator/backend/Gemfile
    DATABASE_URL: ***localhost:54[3](https://github.com/codeforboston/urban-league-heat-pump-accelerator/actions/runs/11406370623/job/31739977380?pr=639#step:6:3)2/test
Name: actionmailer
Version: 7.1.3.[4](https://github.com/codeforboston/urban-league-heat-pump-accelerator/actions/runs/11406370623/job/31739977380?pr=639#step:6:4)
CVE: CVE-2024-47889
GHSA: GHSA-h47h-mwp9-c6q6
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
Title: Possible ReDoS vulnerability in block_format in Action Mailer
Solution: upgrade to '~> 6.1.7.9', '~> 7.0.8.[5](https://github.com/codeforboston/urban-league-heat-pump-accelerator/actions/runs/11406370623/job/31739977380?pr=639#step:6:5)', '~> 7.1.4.1', '>= 7.2.1.1'

Name: actionpack
Version: 7.1.3.4
CVE: CVE-2024-41128
GHSA: GHSA-x7[6](https://github.com/codeforboston/urban-league-heat-pump-accelerator/actions/runs/11406370623/job/31739977380?pr=639#step:6:6)w-6vjr-8xgj
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-x[7](https://github.com/codeforboston/urban-league-heat-pump-accelerator/actions/runs/11406370623/job/31739977380?pr=639#step:6:7)6w-6vjr-8xgj
Title: Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
Solution: upgrade to '~> 6.1.7.9', '~> 7.0.[8](https://github.com/codeforboston/urban-league-heat-pump-accelerator/actions/runs/11406370623/job/31739977380?pr=639#step:6:8).5', '~> 7.1.4.1', '>= 7.2.1.1'

Name: actionpack
Version: 7.1.3.4
CVE: CVE-2024-47887
GHSA: GHSA-vfg[9](https://github.com/codeforboston/urban-league-heat-pump-accelerator/actions/runs/11406370623/job/31739977380?pr=639#step:6:10)-r3fq-jvx4
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
Title: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
Solution: upgrade to '~> 6.1.7.9', '~> 7.0.8.5', '~> 7.1.4.1', '>= 7.2.1.1'

Name: actiontext
Version: 7.1.3.4
CVE: CVE-[20](https://github.com/codeforboston/urban-league-heat-pump-accelerator/actions/runs/11406370623/job/31739977380?pr=639#step:6:21)24-47888
GHSA: GHSA-wwhv-wxv9-rpgw
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
Title: Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
Solution: upgrade to '~> 6.1.7.9', '~> 7.0.8.5', '~> 7.1.4.1', '>= 7.2.1.1'

Vulnerabilities found!
Error: Process completed with exit code 1.

@lfilmeyer lfilmeyer merged commit 755cdaf into main Oct 18, 2024
4 checks passed
@lfilmeyer lfilmeyer deleted the update-rails-gem-7-1-4 branch October 18, 2024 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lfilmeyer