🚨 [security] Update rails 7.0.8.1 → 7.0.8.4 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (7.0.8.1 → 7.0.8.4) · Repo

Release Notes

7.0.8.2

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Upgrade Trix to 1.3.2 to fix CVE-2024-34341.

  Rafael Mendonça França

Railties

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ net-imap (0.4.10 → 0.4.12) · Repo

Release Notes

0.4.12

What's Changed

• 📚 Fix many rdoc spelling mistakes by @nevans in #279
• 📦 Update workflow with configure_trusted_publisher by @nevans in #280
• 🔍 Simplify handling of ResponseParser test failures by @nevans in #281
• ⬆️ Bump step-security/harden-runner from 2.7.1 to 2.8.0 by @dependabot in #289
• Clarify the license of net-imap by @shugo in #275

Full Changelog: v0.4.11...v0.4.12

0.4.11

What's Changed

Server workarounds

• Consider extra empty space in BODYSTRUCTURE by @gaynetdinov in #271

Miscellaneous

• 🐛 Fix parser benchmarks generation by @nevans in #266
• ✅ Add basic test for SEARCH / UID SEARCH command by @nevans in #267
• 📧 Update gem email address and git mailmap by @nevans in #264
• ✅ Update Github test workflow name by @nevans in #268
• ⬆️ Bump actions/configure-pages from 4 to 5 by @dependabot in #270
• 🔧🔒 Configure RubyGems Trusted Publishing by @nevans in #265

New Contributors

• @gaynetdinov made their first contribution in #271

Full Changelog: v0.4.10...v0.4.11

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailbox (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

↗️ actionmailer (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Security Advisories 🚨

🚨 Missing security headers in Action Pack on non-HTML responses

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses
with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0
Not affected: < 6.1.0
Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the supported release series in accordance with our
maintenance policy
regarding security issues. They are in git-am format and consist of a
single changeset.

• 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
• 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
• 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

Release Notes

7.0.8.4 (from changelog)

• Include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103]

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actiontext (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Security Advisories 🚨

🚨 Trix Editor Arbitrary Code Execution Vulnerability

The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application.

Vulnerable Versions:

• 1.x series up to and including 1.3.1
• 2.x series up to and including 2.1.0

Fixed Versions:

• v1.3.2
• v2.1.1

Vector:

• Bug 1: When copying content manipulated by a script, such as:

document.addEventListener('copy', function(e){
  e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>');
  e.preventDefault();
});

and pasting into the Trix editor, the script within the content is executed.

• Bug 2: Similar execution occurs with content structured as:

document.write(`copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=alert(101)&gt;HELLO123&quot;}"></div>me`);

Impact:

An attacker could exploit these vulnerabilities to execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Remediation:

Update Recommendation: Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.

CSP Enhancement: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts can significantly mitigate the risk of such vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References:

• https://github.com/basecamp/trix/releases/tag/v2.1.1
• basecamp/trix#1147
• basecamp/trix#1149
• basecamp/trix#1153

Credit: These issues were reported by security researchers loknop and pinpie.

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• Fix vendored trix.css to be correct file.

  Hartley McGuire

7.0.8.2 (from changelog)

• Upgrade Trix to 1.3.2 to fix CVE-2024-34341.

  Rafael Mendonça França

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.2.3 → 1.3.1) · Repo · Changelog

Release Notes

1.3.1

This release is essentially v1.3.0, but with a properly packaged gem. There was an issue publishing v1.3.0 and that gem needed to be yanked to avoid breaking downstream projects. The v1.3.0 changelog is reproduced below.

What's Changed

• Add Concurrent.usable_processor_count that is cgroups aware by @casperisfine in #1038
• Align Java Executor Service behavior for shuttingdown?, shutdown? by @bensheldon in #1042

New Contributors

• @dependabot made their first contribution in #1028
• @kkohrt made their first contribution in #1037

Full Changelog: v1.2.3...v1.3.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.14.4 → 1.14.5) · Repo · Changelog

Release Notes

1.14.5

What's Changed

• Explicitly bundle racc gem for Ruby 3.3+ by @amatsuda in #690
• Optimize I18n::Locale::Fallbacks#[] for recursive locale mappings by @uiur in #692
• Add I18n.interpolation_keys by @tom-lord in #682
• Fix syntax in documentation for I18n::Backend::Base.interpolate by @tom-lord in #691
• Fix that escaped interpolations with reserved keywords raised ReservedInterpolationKey by @Bilka2 in #688

New Contributors

• @uiur made their first contribution in #692
• @tom-lord made their first contribution in #682
• @Bilka2 made their first contribution in #688

Full Changelog: v1.14.4...v1.14.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ marcel (indirect, 1.0.2 → 1.0.4) · Repo

Release Notes

1.0.4

What's Changed

• Regression fix: binary declared type should fall back to filename extension type by @jeremy in #99

Full Changelog: v1.0.3...v1.0.4

1.0.3

What's Changed

• Prefer audio/ogg instead of audio/vorbis by @gmcgibbon in #65
• Suppress warning by @wonda-tea-coffee in #69
• Add explanation of MimeType.for's handling of argument types by @elebow in #68
• tables.rb: Generate UTF-8 strings when possible. by @casperisfine in #70
• Remove comment strings from Tables::TYPE by @casperisfine in #71
• Store MIME parents in a distinct Hash by @casperisfine in #72
• Fix magic detection for HTML with <svg by @ursm in #74
• Update gem name in Gemfile by @elebow in #88
• Move to GitHub Actions by @hahmed in #82
• Add note in README how to extend detection of custom file types by @vipulnsward in #93
• Fix Illustrator detection as application/pdf instead of application/illustrator by @jeremy in #94

New Contributors

• @wonda-tea-coffee made their first contribution in #69
• @elebow made their first contribution in #68
• @casperisfine made their first contribution in #70
• @ursm made their first contribution in #74
• @hahmed made their first contribution in #82
• @vipulnsward made their first contribution in #93
• @jeremy made their first contribution in #94

Full Changelog: v1.0.2...v1.0.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ method_source (indirect, 1.0.0 → 1.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.8.5 → 2.8.7) · Repo · Changelog

Release Notes

2.8.7

2.8.7 / 2024-05-31

Added

• When setting the C compiler through the MiniPortile constructor, the preferred keyword argument is now :cc_command. The original :gcc_command is still supported. (#144 by @flavorjones)
• Add support for extracting xz-compressed tarballs on OpenBSD. (#141 by @postmodern)
• Add OpenBSD support to the experimental method MakeMakefile#mkmf_config. (#141 by @flavorjones)

Changed

• MiniPortileCMake now detects the C and C++ compiler the same way MiniPortile does: by examining environment variables, then using kwargs, then looking in RbConfig (in that order). (#144 by @flavorjones)
• GPG file verification error messages are captured in the raised exception. Previously these errors went to stderr. (#145 by @flavorjones)

2.8.6

2.8.6 / 2024-04-14

Added

• When using CMake on FreeBSD, default to clang's "cc" and "c++" compilers. (#139 by @mudge)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.22.3 → 5.23.1) · Repo · Changelog

Release Notes

5.23.1 (from changelog)

• 1 bug fix:

  • Fully qualify the Queue class to avoid conflicts with other libraries. (rafaelfranca)

5.23.0 (from changelog)

• 3 minor enhancements:

  • Added -Werror to raise on any warning output. (byroot)

  • Added UnexpectedWarning as a failure summary type, added count to output if activated.

  • Added minitest/manual_plugins.rb w/ new Minitest.load method. (tenderlove)

• 2 bug fixes:

  • Allow empty_run! and reporter to display summary for empty runs. (zzak)

  • Make test task verbose using either rake’s -v or -t (was just -t).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.7.0 → 2.7.3) · Repo · Changelog

Release Notes

2.7.2 (from changelog)

• Modernize gem (list all authors, etc).
• Drop official support for Ruby 2.4.
• Fix JRuby release version.

2.7.1

What's Changed

• Update changes.md by @ioquatix in #311
• fix jruby warnings by @ahorek in #313
• Convert license to array of identifiers by @voxik in #312

Full Changelog: v2.7.0...v2.7.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.16.3 → 1.16.5) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

• described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
• patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

• 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
• 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
• 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Release Notes

1.16.5

v1.16.5 / 2024-05-13

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@flavorjones)

---

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
ec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem

1.16.4

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

---

sha256 checksums:

bdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem
0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem
8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem
bf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem
a46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem
4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem
d86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem
d488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem
a896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem
92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem
62c116c3a14b4ed4e1faec786da266c4bd4c717a0bd04a9916164a7046040f45  nokogiri-1.16.4.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ racc (indirect, 1.7.3 → 1.8.0) · Repo · Changelog

Release Notes

1.8.0

What's Changed

• Generate jar to build gem by @nobu in #255
• Fix trivial typos by @ydah in #257
• Try to fix test failure with Ruby 3.3 by @hsbt in #260
• Reformat the rdoc so it renders correctly both locally and on github. by @zenspider in #258
• Allow racc cmdline to read from stdin if no path specified. by @zenspider in #259
• Add more grammars by @nurse in #222
• Exclude 2.5 on macos-latest by @nobu in #263
• Drop code for Ruby 1.6 by @nobu in #264
• Refactor command line options by @nobu in #265
• Change encode EUC-JP to UTF-8 by @ydah in #267
• Organize README.ja.rdoc by @ydah in #266
• Support error_on_expect_mismatch declaration in Racc grammar file by @yui-knk in #262
• Bump up v1.8.0 by @yui-knk in #268

New Contributors

• @ydah made their first contribution in #257
• @nurse made their first contribution in #222

Full Changelog: v1.7.3...v1.8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 13.2.0 → 13.2.1) · Repo · Changelog

Release Notes

13.2.1

What's Changed

• Suppressed "internal:array:52:in 'Array#each'" from backtrace by @hsbt in #554
• Bump actions/configure-pages from 4 to 5 by @dependabot in #553

Full Changelog: v13.2.0...v13.2.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.6.13 → 2.6.15) · Repo · Changelog

Release Notes

2.6.15 (from changelog)

• Internal improvements.

2.6.14 (from changelog)

• Implements Zeitwerk::Loader#all_expected_cpaths, which returns a hash that maps the absolute paths of the files and directories managed by the receiver to their expected constant paths.

  Please, check its documentation for further details.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coveralls]

coverage: 98.313%. remained the same
when pulling 07084c7 on depfu/update/group/rails-7.0.8.4
into 5aa22e3 on main.

[depfu]

Closing because this update has already been applied