From 05a09dcfa8dfa2882c706dcaa9b3fc3592ecce0b Mon Sep 17 00:00:00 2001 From: Erik Eide Date: Tue, 1 Mar 2016 10:48:11 +0000 Subject: [PATCH] Update Rails to security patched version 4.2.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates Rails to the latest version to address `[CVE-2016-2098]` for Possible remote code execution vulnerability in Action Pack, and `[CVE-2016-2097]’ for Possible Information Leak Vulnerability in Action View. Both vulnerabilities are exploited by code that allows a carefully set value in params[:id] when passed to the render method, which static doesn’t do directly. --- Gemfile | 3 ++- Gemfile.lock | 64 ++++++++++++++++++++++++++-------------------------- 2 files changed, 34 insertions(+), 33 deletions(-) diff --git a/Gemfile b/Gemfile index 1cde1df3e..81a568356 100644 --- a/Gemfile +++ b/Gemfile @@ -1,6 +1,7 @@ source 'https://rubygems.org' -gem 'rails', '4.2.5.1' +gem 'rails', '4.2.5.2' + gem 'unicorn', '4.9.0' gem 'logstasher', '0.4.8' diff --git a/Gemfile.lock b/Gemfile.lock index 6f615f2d0..1b130e891 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -2,38 +2,38 @@ GEM remote: https://rubygems.org/ specs: PriorityQueue (0.1.2) - actionmailer (4.2.5.1) - actionpack (= 4.2.5.1) - actionview (= 4.2.5.1) - activejob (= 4.2.5.1) + actionmailer (4.2.5.2) + actionpack (= 4.2.5.2) + actionview (= 4.2.5.2) + activejob (= 4.2.5.2) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.5.1) - actionview (= 4.2.5.1) - activesupport (= 4.2.5.1) + actionpack (4.2.5.2) + actionview (= 4.2.5.2) + activesupport (= 4.2.5.2) rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) actionpack-page_caching (1.0.2) actionpack (>= 4.0.0, < 5) - actionview (4.2.5.1) - activesupport (= 4.2.5.1) + actionview (4.2.5.2) + activesupport (= 4.2.5.2) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) - activejob (4.2.5.1) - activesupport (= 4.2.5.1) + activejob (4.2.5.2) + activesupport (= 4.2.5.2) globalid (>= 0.3.0) - activemodel (4.2.5.1) - activesupport (= 4.2.5.1) + activemodel (4.2.5.2) + activesupport (= 4.2.5.2) builder (~> 3.1) - activerecord (4.2.5.1) - activemodel (= 4.2.5.1) - activesupport (= 4.2.5.1) + activerecord (4.2.5.2) + activemodel (= 4.2.5.2) + activesupport (= 4.2.5.2) arel (~> 6.0) - activesupport (4.2.5.1) + activesupport (4.2.5.2) i18n (~> 0.7) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) @@ -61,7 +61,7 @@ GEM rack-test (>= 0.5.4) xpath (~> 2.0) coderay (1.1.0) - concurrent-ruby (1.0.0) + concurrent-ruby (1.0.1) crack (0.4.2) safe_yaml (~> 1.0.0) debug_inspector (0.0.2) @@ -123,7 +123,7 @@ GEM mime-types (>= 1.16, < 3) metaclass (0.0.4) method_source (0.8.2) - mime-types (2.99) + mime-types (2.99.1) mini_portile (0.6.2) minitest (5.8.4) minitest-capybara (0.7.2) @@ -156,16 +156,16 @@ GEM rack-test (0.6.3) rack (>= 1.0) rack_strip_client_ip (0.0.1) - rails (4.2.5.1) - actionmailer (= 4.2.5.1) - actionpack (= 4.2.5.1) - actionview (= 4.2.5.1) - activejob (= 4.2.5.1) - activemodel (= 4.2.5.1) - activerecord (= 4.2.5.1) - activesupport (= 4.2.5.1) + rails (4.2.5.2) + actionmailer (= 4.2.5.2) + actionpack (= 4.2.5.2) + actionview (= 4.2.5.2) + activejob (= 4.2.5.2) + activemodel (= 4.2.5.2) + activerecord (= 4.2.5.2) + activesupport (= 4.2.5.2) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.5.1) + railties (= 4.2.5.2) sprockets-rails rails-deprecated_sanitizer (1.0.3) activesupport (>= 4.2.0.alpha) @@ -175,9 +175,9 @@ GEM rails-deprecated_sanitizer (>= 1.0.1) rails-html-sanitizer (1.0.3) loofah (~> 2.0) - railties (4.2.5.1) - actionpack (= 4.2.5.1) - activesupport (= 4.2.5.1) + railties (4.2.5.2) + actionpack (= 4.2.5.2) + activesupport (= 4.2.5.2) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rainbow (2.1.0) @@ -269,7 +269,7 @@ DEPENDENCIES pry quiet_assets (= 1.1.0) rack_strip_client_ip (= 0.0.1) - rails (= 4.2.5.1) + rails (= 4.2.5.2) sass-rails (= 5.0.4) shoulda sprockets-rails (= 2.3.3)