🚨 [security] Update all of rails: 6.1.4.1 → 6.1.4.6 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (6.1.4.1 → 6.1.4.6) · Repo

Release Notes

6.1.4.4

More info than we can show here.

6.1.4.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailbox (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

↗️ actionmailer (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Security Advisories 🚨

🚨 Possible exposure of information vulnerability in Action Pack

Impact

Under certain circumstances response bodies will not be closed, for example a
bug in a webserver (puma/puma#2812) or a bug in a Rack
middleware. In the event a response is not notified of a close,
ActionDispatch::Executor will not know to reset thread local state for the
next request. This can lead to data being leaked to subsequent requests,
especially when interacting with ActiveSupport::CurrentAttributes.

Upgrading to the FIXED versions of Rails will ensure mitigation if this issue
even in the context of a buggy webserver or middleware implementation.

Patches

This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

Workarounds

Upgrading is highly recommended, but to work around this problem the following
middleware can be used:

class GuardedExecutor < ActionDispatch::Executor
  def call(env)
    ensure_completed!
    super
  end
private
def ensure_completed!
  @executor.new.complete! if @executor.active?
end

end
Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do

config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor

end

🚨 Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization
middleware in Action Pack.

Specially crafted "X-Forwarded-Host" headers in combination with certain
"allowed host" formats can cause the Host Authorization middleware in Action
Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example,
configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted Host header
can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942.

Releases

The fixed releases are available at the normal locations.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 6-0-host-authorzation-open-redirect.patch - Patch for 6.0 series
• 6-1-host-authorzation-open-redirect.patch - Patch for 6.1 series
• 7-0-host-authorzation-open-redirect.patch - Patch for 7.0 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at
present. Users of earlier unsupported releases are advised to upgrade as soon
as possible as we cannot guarantee the continued availability of security
fixes for unsupported releases.

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actiontext (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ globalid (indirect, 0.5.2 → 1.0.0) · Repo · Changelog

Release Notes

1.0.0

More info than we can show here.

0.6.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.8.10 → 1.9.1) · Repo · Changelog

Release Notes

1.9.1

More info than we can show here.

1.9.0

More info than we can show here.

1.8.11

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.12.0 → 2.14.0) · Repo · Changelog

Release Notes

2.13.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ marcel (indirect, 1.0.1 → 1.0.2) · Repo

Release Notes

1.0.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_mime (indirect, 1.1.0 → 1.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.6.1 → 2.7.1) · Repo · Changelog

Release Notes

2.7.1

More info than we can show here.

2.7.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.14.4 → 5.15.0) · Repo · Changelog

Release Notes

5.15.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.12.5 → 1.13.1) · Repo · Changelog

Release Notes

1.13.1

More info than we can show here.

1.13.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.4.1 → 1.4.2) · Repo · Changelog

Release Notes

1.4.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 6.1.4.1 → 6.1.4.6) · Repo · Changelog

Release Notes

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprockets-rails (indirect, 3.2.2 → 3.4.2) · Repo · Changelog

Release Notes

3.4.2

More info than we can show here.

3.4.1

More info than we can show here.

3.4.0

More info than we can show here.

3.3.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 1.1.0 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1

More info than we can show here.

1.2.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.4.2 → 2.5.4) · Repo · Changelog

Release Notes

2.5.4 (from changelog)

More info than we can show here.

2.5.3 (from changelog)

More info than we can show here.

2.5.1 (from changelog)

More info than we can show here.

2.5.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.

[depfu]

Closed in favor of #205.