patch: security vulnerability fix #56

darrunategui · 2024-02-29T19:40:52Z

Why

Security vulnerabilities https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280

Name: actionpack
Version: 7.1.3
CVE: CVE-[20](https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280#step:6:21)24-26142
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
Title: Possible ReDoS vulnerability in Accept header parsing in Action Dispatch
Solution: upgrade to '>= 7.1.3.1'

Name: actionpack
Version: 7.1.3
CVE: CVE-2024-26143
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
Title: Possible XSS Vulnerability in Action Controller
Solution: upgrade to '~> 7.0.8, >= 7.0.8.1', '>= 7.1.3.1'

Name: rack
Version: 3.0.9
CVE: CVE-2024-25126
GHSA: GHSA-[22](https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280#step:6:23)f2-v57c-j9cx
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941
Title: Denial of Service Vulnerability in Rack Content-Type Parsing
Solution: upgrade to '~> 2.2.8, >= 2.2.8.1', '>= 3.0.9.1'

Name: rack
Version: 3.0.9
CVE: CVE-20[24](https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280#step:6:25)-[26](https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280#step:6:27)141
GHSA: GHSA-xj5v-6v4g-jfw6
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
Title: Possible DoS Vulnerability with Range Header in Rack
Solution: upgrade to '~> 2.2.8, >= 2.2.8.1', '>= 3.0.9.1'

Name: rack
Version: 3.0.9
CVE: CVE-2024-26146
GHSA: GHSA-54rr-7fvw-6x8f
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/849[42](https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280#step:6:43)
Title: Possible Denial of Service Vulnerability in Rack Header Parsing
Solution: upgrade to '~> 2.0.9, >= 2.0.9.4', '~> 2.1.4, >= 2.1.4.4', '~> 2.2.8, >= 2.2.8.1', '>= 3.0.9.1'

Vulnerabilities found!

What changed

Updated dependencies with bundle update rails

patch: security vulnerability fix

32aa93a

darrunategui requested a review from desheikh February 29, 2024 19:40

desheikh approved these changes Feb 29, 2024

View reviewed changes

desheikh merged commit c21786d into main Feb 29, 2024
4 checks passed

desheikh deleted the fix-security-vuln branch February 29, 2024 22:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

patch: security vulnerability fix #56

patch: security vulnerability fix #56

darrunategui commented Feb 29, 2024

patch: security vulnerability fix #56

patch: security vulnerability fix #56

Conversation

darrunategui commented Feb 29, 2024

Why

What changed