Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update Rails to fix security vulnerabilities
## Problem `bundle-audit` reported some vulnerabilities: ``` ruby-advisory-db: 273 advisories Name: actionpack Version: 4.2.5 Advisory: CVE-2015-7576 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k Title: Timing attack vulnerability in basic authentication in Action Controller. Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1 Name: actionpack Version: 4.2.5 Advisory: CVE-2015-7581 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE Title: Object leak vulnerability for wildcard controller routes in Action Pack Solution: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14 Name: actionpack Version: 4.2.5 Advisory: CVE-2016-0751 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc Title: Possible Object Leak and Denial of Service attack in Action Pack Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1 Name: actionpack Version: 4.2.5 Advisory: CVE-2016-2098 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q Title: Possible remote code execution vulnerability in Action Pack Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14 Name: actionview Version: 4.2.5 Advisory: CVE-2016-0752 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00 Title: Possible Information Leak Vulnerability in Action View Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1 Name: actionview Version: 4.2.5 Advisory: CVE-2016-6316 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk Title: Possible XSS Vulnerability in Action View Solution: upgrade to ~> 3.2.22.3, ~> 4.2.7.1, >= 5.0.0.1 Name: activemodel Version: 4.2.5 Advisory: CVE-2016-0753 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ Title: Possible Input Validation Circumvention in Active Model Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14 Name: activerecord Version: 4.2.5 Advisory: CVE-2015-7577 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g Title: Nested attributes rejection proc bypass in Active Record Solution: upgrade to ~> 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1 Name: activerecord Version: 4.2.5 Advisory: CVE-2016-6317 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s Title: Unsafe Query Generation Risk in Active Record Solution: upgrade to ~> 4.2.7.1 Name: nokogiri Version: 1.6.7 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1 Name: nokogiri Version: 1.6.7 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.7 Advisory: CVE-2015-8806 Criticality: Unknown URL: sparklemotion/nokogiri#1473 Title: Denial of service or RCE from libxml2 and libxslt Solution: upgrade to >= 1.6.8 Name: rails-html-sanitizer Version: 1.0.2 Advisory: CVE-2015-7578 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI Title: Possible XSS vulnerability in rails-html-sanitizer Solution: upgrade to ~> 1.0.3 Name: rails-html-sanitizer Version: 1.0.2 Advisory: CVE-2015-7580 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI Title: Possible XSS vulnerability in rails-html-sanitizer Solution: upgrade to ~> 1.0.3 Vulnerabilities found! ``` ## Solution Update Rails to version 5, along with associated gems.
- Loading branch information