🚨 [security] Update rails: 5.2.1 → 5.2.1.1 (minor)

[depfu]

---

🚨 Your version of rails has known security vulnerabilities 🚨

Advisory: CVE-2018-16476
Disclosed: November 27, 2018
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

ActiveJob/ActiveStorage vulnerabilities

There is a vulnerability in Active Job. This vulnerability has been
assigned the CVE identifier CVE-2018-16476.

Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId
and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

---

There is a vulnerability in Active Storage. This vulnerability has been
assigned the CVE identifier CVE-2018-16477.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 5.2.1.1

Impact

Signed download URLs generated by ActiveStorage for Google Cloud Storage
service and Disk service include content-disposition and content-type
parameters that an attacker can modify. This can be used to upload specially
crafted HTML files and have them served and executed inline. Combined with
other techniques such as cookie bombing and specially crafted AppCache manifests,
an attacker can gain access to private signed URLs within a specific storage path.

Vulnerable apps are those using either GCS or the Disk service in production.
Other storage services such as S3 or Azure aren't affected.

All users running an affected release should either upgrade or use one of the
workarounds immediately. For those using GCS, it's also recommended to run the
following to update existing blobs:

ActiveStorage::Blob.find_each do |blob|
  blob.send :update_service_metadata
end

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (5.2.1 → 5.2.1.1) · Repo

Commits

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 5.2.1.1 release
• Do not deserialize GlobalID objects that were not generated by Active Job

↗️ actioncable (indirect, 5.2.1 → 5.2.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 5.2.1.1 release
• Do not deserialize GlobalID objects that were not generated by Active Job

↗️ actionmailer (indirect, 5.2.1 → 5.2.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 5.2.1.1 release
• Do not deserialize GlobalID objects that were not generated by Active Job

↗️ actionpack (indirect, 5.2.1 → 5.2.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 5.2.1.1 release
• Do not deserialize GlobalID objects that were not generated by Active Job

↗️ actionview (indirect, 5.2.1 → 5.2.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 5.2.1.1 release
• Do not deserialize GlobalID objects that were not generated by Active Job

↗️ activejob (indirect, 5.2.1 → 5.2.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 5.2.1.1 release
• Do not deserialize GlobalID objects that were not generated by Active Job

↗️ activemodel (indirect, 5.2.1 → 5.2.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 5.2.1.1 release
• Do not deserialize GlobalID objects that were not generated by Active Job

↗️ activerecord (indirect, 5.2.1 → 5.2.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 5.2.1.1 release
• Do not deserialize GlobalID objects that were not generated by Active Job

↗️ activestorage (indirect, 5.2.1 → 5.2.1.1) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ activesupport (indirect, 5.2.1 → 5.2.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 5.2.1.1 release
• Do not deserialize GlobalID objects that were not generated by Active Job

↗️ concurrent-ruby (indirect, 1.0.5 → 1.1.3) · Repo · Changelog

Release Notes

1.1.0

concurrent-ruby:

• requires at least Ruby 2.0
• Promises
  are moved from concurrent-ruby-edge to concurrent-ruby
• Add support for TruffleRuby
  • (#734) Fix Array/Hash/Set construction broken on TruffleRuby
  • AtomicReference fixed
• fixed documentation and README links
• fix Set for TruffleRuby and Rubinius
• CI stabilization
• remove sharp dependency edge -> core
• remove warnings
• documentation updates
• Exchanger is no longer documented as edge since it was already available in
  concurrent-ruby
• (#644) Fix Map#each and #each_pair not returning enumerator outside of MRI
• (#659) Edge promises fail during error handling
• (#741) Raise on recursive Delay#value call
• (#727) #717 fix global IO executor on JRuby
• (#740) Drop support for CRuby 1.9, JRuby 1.7, Rubinius.
• (#737) Move AtomicMarkableReference out of Edge
• (#708) Prefer platform specific memory barriers
• (#735) Fix wrong expected exception in channel spec assertion
• (#729) Allow executor option in Promise#then
• (#725) fix timeout check to use timeout_interval
• (#719) update engine detection
• (#660) Add specs for Promise#zip/Promise.zip ordering
• (#654) Promise.zip execution changes
• (#666) Add thread safe set implementation
• (#651) #699 #to_s, #inspect should not output negative object IDs.
• (#685) Avoid RSpec warnings about raise_error
• (#680) Avoid RSpec monkey patching, persist spec results locally, use RSpec
  v3.7.0
• (#665) Initialize the monitor for new subarrays on Rubinius
• (#661) Fix error handling in edge promises

concurrent-ruby-edge:

• (#659) Edge promises fail during error handling
• Edge files clearly separated in lib-edge
• added ReInclude
• add Promises.zip_futures_over_on

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.1.0 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1

• Expose translations with an option to perform initialization (if it hasn't been done already) (#353 / #254)
• Removed un-used Kernel core extension #436
• Added project metadata for RubyGems #434

Commits

See the full diff on Github. The new version differs by 11 commits:

• Bump to 1.1.1
• Update README with usage information in Ruby
• Merge pull request #436 from dduugg/rm-kernel-ext
• rm Kernel core_ext
• Merge pull request #434 from orien/rubygems-project-metadata
• Add project metadata to the gemspec
• Merge pull request #433 from BanzaiMan/patch-1
• Update Ruby 2.4.x and 2.5.x run times
• Merge pull request #353 from PikachuEXE/feature/change-translations-behaviour
• Add 'Maintained by' notice to README
• * Expose translations with option to perform initalization

↗️ loofah (indirect, 2.2.2 → 2.2.3) · Repo · Changelog

Release Notes

2.2.3

Notably, this release addresses CVE-2018-16468.

Commits

See the full diff on Github. The new version differs by 5 commits:

• version bump to v2.2.3 and update CHANGELOG
• remove the svg animate attribute `from` from the allowlist
• add formatting to CHANGELOG
• updated mailing list to a new Google Group
• extract msword html data into an asset file

↗️ mail (indirect, 2.7.0 → 2.7.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 20 commits:

• 2.7.1 release
• additionally register UnixToUnix encoding as 'x-uue'
• IMAP: fix `delete_all` against a readonly connection
• Format generated ruby files by ragel using rufo gem
• Set full path of the ragel source file to rake task
• Perform `gem install bundler` to address `LoadError: cannot load such
• Fix 7bit/base64 content transfer encoding mismatch
• 2.7.1.rc1 release candidate
• Restore LF line ending parsing
• Fix quote_token with frozen AS::Multibyte chars
• CI: test against Rails 5.x for Rubies older than 2.4.1 since Rails 6 requires 2.4.1+
• Fix token quoting with UTF-8 attributes
• Expose `Mail::Field#unparsed_value` to read raw fields
• CI: track current jruby release (9.1.15.0)
• CI: test against Ruby 2.5.x
• Fix parsing boundary containing "=" within invalid Content-Type
• Fix transfer encoding when message encoding is blank
• restore LF->CRLF conversion for properly encoded non-binary messages
• Fix performance downgrade with Mail::Utilities.to_crlf/to_lf
• Stable branch for 2.7.x releases

↗️ marcel (indirect, 0.3.2 → 0.3.3) · Repo

Release Notes

0.3.3

• Shush Ruby interpreter warnings (#6)
• Exclude test files from published gem to shrink it from 7.5 MB to 7.5 KB (#11)

Commits

See the full diff on Github. The new version differs by 10 commits:

• v0.3.3
• Merge pull request #11 from huacnlee/fix-test-file-including-rubygem
• Gemspec ignore test files for reduce gem size from 7.5MB to 7.5KB
• Merge pull request #8 from junaruga/feature/text-typo-file-names
• Suppress warnings when running "gem build marcel.gemspec"
• Merge pull request #7 from junaruga/hotfix/test-require-pathname
• Require pathname to run tests without Bundler.
• Fix "warning: `&' interpreted as argument prefix"
• CI: fix 2.5.0 builds broken by incompatible Bundler/RubyGems
• Add ruby-head on Travis CI.

↗️ method_source (indirect, 0.9.0 → 0.9.2) · Repo

Commits

See the full diff on Github. The new version differs by 12 commits:

• Merge pull request #55 from banister/release-0-9-2
• Release v0.9.2
• Merge pull request #54 from banister/52-jruby-patch-removal
• Revert "method_source: fix broken Procs on JRuby 9.2.0.0"
• bump version number to 0.9.1
• Merge pull request #51 from kyrylo/jruby-9200-fix
• method_source: fix broken Procs on JRuby 9.2.0.0
• Merge pull request #50 from mensfeld/master
• remove gemfile lock
• license for the gemspec
• tweaks to .travis.yml
• Run rake gemspec task to bump gemspec data (incl version number)

↗️ nokogiri (indirect, 1.8.4 → 1.8.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 11 commits:

• version bump to v1.8.5
• update changelog
• Merge branch 'fix-1773'
• Organize imports in XmlNode.java.
• Allow reparenting nodes to be a child of an empty document.
• Merge pull request #1786 from sparklemotion/1785-canonical-usns
• pull in upstream libxml2 patches
• changelog
• changelog
• remove `-Wextra` CFLAG
• add tests for pkg-config failure scenario

↗️ rack (indirect, 2.0.5 → 2.0.6) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 5 commits:

• Bumping version for release
• Whitelist http/https schemes
• Reduce buffer size to avoid pathological parsing
• Merge tag '2.0.5' into 2-0-stable
• Merge pull request #1296 from tomelm/fix-prefers-plaintext

↗️ railties (indirect, 5.2.1 → 5.2.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• Preparing for 5.2.1.1 release
• Do not deserialize GlobalID objects that were not generated by Active Job

↗️ thor (indirect, 0.20.0 → 0.20.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 73 commits:

• Prepare to 0.20.3
• Merge pull request #637 from y-yagi/add_care_of_old_did_you_mean
• Add care about old version of `did_you_mean`
• Prepare to 0.20.2 release
• Merge pull request #636 from y-yagi/fixes_build
• Remove the globally installed gem by rvm
• Run command with bundle exec
• Make sure did_you_mean feature works when the gem is available
• Prepare to 0.20.1 release
• Merge pull request #630 from kddeisz/did-you-mean
• Merge pull request #628 from deivid-rodriguez/abort_on_failure
• Merge pull request #629 from deivid-rodriguez/fix_warnings
• Fix up keyword argument usage in did_you_mean for ruby 1.8
• Fix up did_you_mean on older ruby versions
• Support did-you-mean functionality in thor
• Fix "warning: setting Encoding.default_external"
• Add `abort_on_failure` option to #run action
• Remove unused stuff
• Fix "warning: assigned but unused variable - junk"
• Merge pull request #616 from Choms/master
• Re-add version
• Merge pull request #623 from marcandre/remove_dup
• Remove duplicate option creation in spec
• Delete version.rb
• Merge pull request #620 from MaxLap/fix-invalid-path-display
• Fix relative_to_original_destination_root and better tests
• Remove the root path from the absolute path only once
• Merge pull request #618 from MaxLap/fix_check_unknown
• Merge pull request #589 from pocke/correct-lineno
• Fix check_unknown_options! when parsing gets stopped
• Fix indent calculation
• Small change to use more of the terminal size
• Fix print_wrapped to properly parse "\x5" newline character
• Merge pull request #610 from deivid-rodriguez/skip_exit_status_specs_on_1.8.7
• Document possible attack vector on `get`
• Merge pull request #611 from bosoxbill/doc-for-cve-2016-10545
• Add open-uri reference
• Add language about how not to use Thor
• Skip exit status specs on 1.8.7
• Merge pull request #578 from jmax315/master
• Merge pull request #608 from y-yagi/fix_typo_in_inject_into_module_test
• Fix typo in `inject_into_module` test
• Merge pull request #605 from y-yagi/add_merge_action_to_file_collision
• Merge pull request #606 from y-yagi/remove_gemnasium_badge
• Remove Gemnasium badge
• Merge pull request #604 from y-yagi/test_against_latest_rubies
• Add `merge` action to file colision menu
• Test against latest Rubies
• Merge pull request #600 from jonathanhefner/fix-comment-regex
• Merge pull request #601 from pallan/patch-1
• Updates method documentation for ask
• Fix comment_lines regexp
• Merge pull request #599 from utilum/identifiy_future_ERB_versions
• Make sure future versions of ERB are invoked appropriately
• Merge pull request #594 from koic/deprecate_safe_level_of_erb_new_in_ruby_2_6
• Merge pull request #598 from yahonda/diag595
• Address #595 by duplicating string objects
• Deprecate safe_level of ERB.new in Ruby 2.6
• Use correct line numbers for `class_eval` and `module_eval` methods
• Merge pull request #586 from hsbt/fix-misspell
• Fixed misspelling words.
• Merge pull request #584 from lostapathy/bump_travis_versions
• Merge pull request #583 from lostapathy/fix_travis
• update ruby version in travis config
• lock hashdiff to <0.3.6 to fix travis
• Fix incorrect use of Process::exit. This fixes open issue #244.
• Merge pull request #576 from sshaw/master
• require open-uri when loading http template
• Merge pull request #572 from sschuberth/master
• Introduce a constant for the default terminal width
• Merge pull request #568 from segiddins/seg-hash-fetch-tests
• Add more tests for HashWithIndifferentAccess#fetch
• Release should use invoke not execute

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #15.