🚨 [security] Update all of rails: 6.1.4.1 → 6.1.6 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (6.1.4.1 → 6.1.6) · Repo

Release Notes

6.1.5

More info than we can show here.

6.1.4.7

More info than we can show here.

6.1.4.4

More info than we can show here.

6.1.4.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailbox (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

↗️ actionmailer (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

CSP headers were only sent along with responses that Rails considered as
"HTML" responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Set a CSP for your API responses manually.

🚨 Possible exposure of information vulnerability in Action Pack

Impact

Under certain circumstances response bodies will not be closed, for example a
bug in a webserver (puma/puma#2812) or a bug in a Rack
middleware. In the event a response is not notified of a close,
ActionDispatch::Executor will not know to reset thread local state for the
next request. This can lead to data being leaked to subsequent requests,
especially when interacting with ActiveSupport::CurrentAttributes.

Upgrading to the FIXED versions of Rails will ensure mitigation if this issue
even in the context of a buggy webserver or middleware implementation.

Patches

This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

Workarounds

Upgrading is highly recommended, but to work around this problem the following
middleware can be used:

class GuardedExecutor < ActionDispatch::Executor
  def call(env)
    ensure_completed!
    super
  end
private
def ensure_completed!
  @executor.new.complete! if @executor.active?
end

end
Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do

config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor

end

🚨 Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization
middleware in Action Pack.

Specially crafted "X-Forwarded-Host" headers in combination with certain
"allowed host" formats can cause the Host Authorization middleware in Action
Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example,
configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted Host header
can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942.

Releases

The fixed releases are available at the normal locations.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 6-0-host-authorzation-open-redirect.patch - Patch for 6.0 series
• 6-1-host-authorzation-open-redirect.patch - Patch for 6.1 series
• 7-0-host-authorzation-open-redirect.patch - Patch for 7.0 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at
present. Users of earlier unsupported releases are advised to upgrade as soon
as possible as we cannot guarantee the continued availability of security
fixes for unsupported releases.

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actiontext (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action View tag helpers

There is a possible XSS vulnerability in Action View tag helpers. Passing
untrusted input as hash keys can lead to a possible XSS vulnerability. This
vulnerability has been assigned the CVE identifier CVE-2022-27777.

Versions Affected: ALL
Not affected: NONE
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

If untrusted data is passed as the hash key for tag attributes, there is a
possibility that the untrusted data may not be properly escaped which can
lead to an XSS vulnerability.

Impacted code will look something like this:

check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })

Where the "malicious_input" variable contains untrusted data.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Escape the untrusted data before using it as a key for tag helper methods.

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Security Advisories 🚨

🚨 Possible code injection vulnerability in Rails / Active Storage

There is a possible code injection vulnerability in the Active Storage module
of Rails. This vulnerability has been assigned the CVE identifier
CVE-2022-21831.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3

Impact

There is a possible code injection vulnerability in the Active Storage module
of Rails. This vulnerability impacts applications that use Active Storage
with the image_processing processing in addition to the mini_magick back end
for image_processing.

Vulnerable code will look something similar to this:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Where the transformation method or its arguments are untrusted arbitrary
input.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

To work around this issue, applications should implement a strict allow-list
on accepted transformation methods or arguments. Additionally, a strict image
magick security policy will help mitigate this issue.

https://imagemagick.org/script/security-policy.php

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.9 → 1.1.10) · Repo · Changelog

Release Notes

1.1.10

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ globalid (indirect, 0.5.2 → 1.0.0) · Repo · Changelog

Release Notes

1.0.0

More info than we can show here.

0.6.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.8.10 → 1.10.0) · Repo · Changelog

Release Notes

1.10.0

More info than we can show here.

1.9.1

More info than we can show here.

1.9.0

More info than we can show here.

1.8.11

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.12.0 → 2.17.0) · Repo · Changelog

Release Notes

2.17.0

More info than we can show here.

2.16.0

More info than we can show here.

2.15.0

More info than we can show here.

2.14.0

More info than we can show here.

2.13.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ marcel (indirect, 1.0.1 → 1.0.2) · Repo

Release Notes

1.0.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_mime (indirect, 1.1.0 → 1.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.6.1 → 2.8.0) · Repo · Changelog

Release Notes

2.8.0

More info than we can show here.

2.7.1

More info than we can show here.

2.7.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.14.4 → 5.15.0) · Repo · Changelog

Release Notes

5.15.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.12.5 → 1.13.6) · Repo · Changelog

Security Advisories 🚨

🚨 Inefficient Regular Expression Complexity in Nokogiri

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is
susceptible to excessive backtracking when attempting to detect encoding
in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

🚨 Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to
1.9.22.noko2 which addresses CVE-2022-24839.
That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv
for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

• Severity: High 7.5
• Type: CWE-400 Uncontrolled Resource Consumption
• Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a
  java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
• See also: GHSA-9849-p7jc-9rmv

🚨 Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11
to 1.2.12, which addresses CVE-2018-25032.
That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.4, and only if the packaged version of zlib is being used.
Please see this document
for a complete description of which platform gems vendor zlib. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's zlib
release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

• Severity: High
• Type: CWE-787
  Out of bounds write
• Description: zlib before 1.2.12 allows memory corruption when
  deflating (i.e., when compressing) if the input has many distant matches.

🚨 XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to
2.12.2, which addresses CVE-2022-23437.
That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation
of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

• Severity: Medium
• Type: CWE-91 XML Injection (aka Blind XPath Injection)
• Description: There's a vulnerability within the Apache Xerces Java
  (XercesJ) XML parser when handling specially crafted XML document payloads.
  This causes, the XercesJ XML parser to wait in an infinite loop, which may
  sometimes consume system resources for prolonged duration. This vulnerability
  is present within XercesJ version 2.12.1 and the previous versions.
• See also: GHSA-h65f-jvqw-m9fj

🚨 Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

• vendored libxml2 from v2.9.12 to v2.9.13
• vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

• libxslt: CVE-2021-30560 (CVSS 8.8, High severity)
• libxml2: CVE-2022-23308 (Unspecified severity, see more information below)

Those library versions also address numerous other issues including performance
improvements, regression fixes, and bug fixes, as well as memory leaks and other
use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's libxml2
and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link an older version Nokogiri against external libraries
libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

• libxslt CVE-2021-30560
• CVSS3 score: 8.8 (High)

Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to
a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

• As of the time this security advisory was published, there is no officially
  published information available about this CVE's severity. The above NIST link
  does not yet have a published record, and the libxml2 maintainer has declined
  to provide a severity score.
• Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12
• Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html

The upstream commit and the explanation linked above indicate that an application
may be vulnerable to a denial of service, memory disclosure, or code execution if
it parses an untrusted document with parse options DTDVALID set to true, and NOENT
set to false.

An analysis of these parse options:

• While NOENT is off by default for Document, DocumentFragment, Reader, and
  Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri
  v1.12.0 and later.
• DTDVALID is an option that Nokogiri does not set for any operations, and so
  this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse
option DTDVALID when parsing untrusted documents is vulnerable and should be
upgraded immediately.

Release Notes

1.13.6

More info than we can show here.

1.13.5

More info than we can show here.

1.13.4

More info than we can show here.

1.13.3

More info than we can show here.

1.13.2

More info than we can show here.

1.13.1

More info than we can show here.

1.13.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.4.1 → 1.4.2) · Repo · Changelog

Release Notes

1.4.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 6.1.4.1 → 6.1.6) · Repo · Changelog

Release Notes

6.1.5.1 (from changelog)

More info than we can show here.

6.1.5 (from changelog)

More info than we can show here.

6.1.4.7 (from changelog)

More info than we can show here.

6.1.4.6 (from changelog)

More info than we can show here.

6.1.4.5 (from changelog)

More info than we can show here.

6.1.4.4 (from changelog)

More info than we can show here.

6.1.4.3 (from changelog)

More info than we can show here.

6.1.4.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprockets (indirect, 4.0.2 → 4.0.3) · Repo · Changelog

Release Notes

4.0.3 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

↗️ sprockets-rails (indirect, 3.2.2 → 3.4.2) · Repo · Changelog

Release Notes

3.4.2

More info than we can show here.

3.4.1

More info than we can show here.

3.4.0

More info than we can show here.

3.3.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 1.1.0 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1

More info than we can show here.

1.2.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.4.2 → 2.5.4) · Repo · Changelog

Release Notes

2.5.4 (from changelog)

More info than we can show here.

2.5.3 (from changelog)

More info than we can show here.

2.5.1 (from changelog)

More info than we can show here.

2.5.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.

[depfu]

Closed in favor of #222.