🚨 [security] Update rails: 6.1.5 → 6.1.7.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (6.1.5 → 6.1.7.1) · Repo

Release Notes

6.1.7.1

More info than we can show here.

6.1.7

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ minitest (5.15.0 → 5.17.0) · Repo · Changelog

Release Notes

5.17.0 (from changelog)

More info than we can show here.

5.16.3 (from changelog)

More info than we can show here.

5.16.2 (from changelog)

More info than we can show here.

5.16.1 (from changelog)

More info than we can show here.

5.16.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Release Notes

6.1.7.1 (from changelog)

More info than we can show here.

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailbox (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

↗️ actionmailer (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Release Notes

6.1.7.1 (from changelog)

More info than we can show here.

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

CSP headers were only sent along with responses that Rails considered as
"HTML" responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Set a CSP for your API responses manually.

Release Notes

6.1.7.1 (from changelog)

More info than we can show here.

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actiontext (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Release Notes

6.1.7.1 (from changelog)

More info than we can show here.

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing
untrusted input as hash keys can lead to a possible XSS vulnerability. This
vulnerability has been assigned the CVE identifier CVE-2022-27777.

Versions Affected: ALL
Not affected: NONE
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

If untrusted data is passed as the hash key for tag attributes, there is a
possibility that the untrusted data may not be properly escaped which can
lead to an XSS vulnerability.

Impacted code will look something like this:

check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })

Where the "malicious_input" variable contains untrusted data.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Escape the untrusted data before using it as a key for tag helper methods.

Release Notes

6.1.7.1 (from changelog)

More info than we can show here.

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Release Notes

6.1.7.1 (from changelog)

More info than we can show here.

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Release Notes

6.1.7.1 (from changelog)

More info than we can show here.

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible RCE escalation bug with Serialized Columns in Active Record

There is a possible escalation to RCE when using YAML serialized columns in
Active Record. This vulnerability has been assigned the CVE identifier
CVE-2022-32224.

Versions Affected: All.
Not affected: None
Fixed Versions: 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1

Impact

When serialized columns that use YAML (the default) are deserialized, Rails
uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an
attacker can manipulate data in the database (via means like SQL injection),
then it may be possible for the attacker to escalate to an RCE.

Impacted Active Record models will look something like this:

class User < ApplicationRecord
  serialize :options       # Vulnerable: Uses YAML for serialization
  serialize :values, Array # Vulnerable: Uses YAML for serialization
  serialize :values, JSON  # Not vulnerable
end

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

The released versions change the default YAML deserializer to use
YAML.safe_load, which prevents deserialization of possibly dangerous
objects. This may introduce backwards compatibility issues with existing
data.

In order to cope with that situation, the released version also contains two
new Active Record configuration options. The configuration options are as
follows:

• config.active_storage.use_yaml_unsafe_load

When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.

• config.active_record.yaml_column_permitted_classes

The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:

config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]

Workarounds

There are no feasible workarounds for this issue, but other coders (such as
JSON) are not impacted.

Release Notes

6.1.7.1 (from changelog)

More info than we can show here.

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Release Notes

6.1.7.1 (from changelog)

More info than we can show here.

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Release Notes

6.1.7.1 (from changelog)

More info than we can show here.

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.9 → 1.1.10) · Repo · Changelog

Release Notes

1.1.10

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ erubi (indirect, 1.10.0 → 1.12.0) · Repo · Changelog

Release Notes

1.12.0 (from changelog)

More info than we can show here.

1.11.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ globalid (indirect, 1.0.0 → 1.0.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.10.0 → 1.12.0) · Repo · Changelog

Release Notes

1.12.0

More info than we can show here.

1.11.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mail (indirect, 2.7.1 → 2.8.0.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.8.0 → 2.8.1) · Repo · Changelog

Release Notes

2.8.1

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.13.10 → 1.14.0) · Repo · Changelog

Release Notes

1.14.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ racc (indirect, 1.6.1 → 1.6.2) · Repo · Changelog

Release Notes

1.6.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 2.2.3 → 2.2.6.2) · Repo · Changelog

Security Advisories 🚨

🚨 Denial of Service Vulnerability in Rack Multipart Parsing

There is a possible denial of service vulnerability in the multipart parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-30122.

Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1

Impact

Carefully crafted multipart POST requests can cause Rack's multipart parser to
take much longer than expected, leading to a possible denial of service
vulnerability.

Impacted code will use Rack's multipart parser to parse multipart posts. This
includes directly using the multipart parser like this:

params = Rack::Multipart.parse_multipart(env)

But it also includes reading POST data from a Rack request object like this:

p request.POST # read POST data
p request.params # reads both query params and POST data

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

There are no feasible workarounds for this issue.

🚨 Possible shell escape sequence injection vulnerability in Rack

There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.

Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1

Impact

Carefully crafted requests can cause shell escape sequences to be written to
the terminal via Rack's Lint middleware and CommonLogger middleware. These
escape sequences can be leveraged to possibly execute commands in the victim's
terminal.

Impacted applications will have either of these middleware installed, and
vulnerable apps may have something like this:

use Rack::Lint

Or

use Rack::CommonLogger

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

Remove these middleware from your application

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack-test (indirect, 1.1.0 → 2.0.2) · Repo · Changelog

Release Notes

2.0.2 (from changelog)

More info than we can show here.

2.0.1 (from changelog)

More info than we can show here.

2.0.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 6.1.5 → 6.1.7.1) · Repo · Changelog

Release Notes

6.1.7 (from changelog)

More info than we can show here.

6.1.6.1 (from changelog)

More info than we can show here.

6.1.5.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprockets (indirect, 4.0.3 → 4.2.0) · Repo · Changelog

Release Notes

4.2.0 (from changelog)

More info than we can show here.

4.1.1

More info than we can show here.

4.1.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 2.0.4 → 2.0.5) · Repo · Changelog

Release Notes

2.0.5

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.5.4 → 2.6.6) · Repo · Changelog

Release Notes

2.6.6 (from changelog)

More info than we can show here.

2.6.5 (from changelog)

More info than we can show here.

2.6.4 (from changelog)

More info than we can show here.

2.6.3 (from changelog)

More info than we can show here.

2.6.2 (from changelog)

More info than we can show here.

2.6.1 (from changelog)

More info than we can show here.

2.6.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 date (added, 3.3.3)

🆕 net-imap (added, 0.3.4)

🆕 net-pop (added, 0.1.2)

🆕 net-protocol (added, 0.2.1)

🆕 net-smtp (added, 0.3.3)

🆕 timeout (added, 0.3.1)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #102.