🚨 [security] Update rails 7.0.8.1 → 7.0.8.4 (patch)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (7.0.8.1 → 7.0.8.4) · Repo

Release Notes

7.0.8.2

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Upgrade Trix to 1.3.2 to fix CVE-2024-34341.

  Rafael Mendonça França

Railties

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailbox (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

↗️ actionmailer (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Security Advisories 🚨

🚨 Missing security headers in Action Pack on non-HTML responses

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses
with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0
Not affected: < 6.1.0
Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the supported release series in accordance with our
maintenance policy
regarding security issues. They are in git-am format and consist of a
single changeset.

• 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
• 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
• 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

Release Notes

7.0.8.4 (from changelog)

• Include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103]

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actiontext (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Security Advisories 🚨

🚨 Trix Editor Arbitrary Code Execution Vulnerability

The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application.

Vulnerable Versions:

• 1.x series up to and including 1.3.1
• 2.x series up to and including 2.1.0

Fixed Versions:

• v1.3.2
• v2.1.1

Vector:

• Bug 1: When copying content manipulated by a script, such as:

document.addEventListener('copy', function(e){
  e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>');
  e.preventDefault();
});

and pasting into the Trix editor, the script within the content is executed.

• Bug 2: Similar execution occurs with content structured as:

document.write(`copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=alert(101)&gt;HELLO123&quot;}"></div>me`);

Impact:

An attacker could exploit these vulnerabilities to execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Remediation:

Update Recommendation: Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.

CSP Enhancement: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts can significantly mitigate the risk of such vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References:

• https://github.com/basecamp/trix/releases/tag/v2.1.1
• basecamp/trix#1147
• basecamp/trix#1149
• basecamp/trix#1153

Credit: These issues were reported by security researchers loknop and pinpie.

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• Fix vendored trix.css to be correct file.

  Hartley McGuire

7.0.8.2 (from changelog)

• Upgrade Trix to 1.3.2 to fix CVE-2024-34341.

  Rafael Mendonça França

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.2.3 → 1.3.1) · Repo · Changelog

Release Notes

1.3.1

This release is essentially v1.3.0, but with a properly packaged gem. There was an issue publishing v1.3.0 and that gem needed to be yanked to avoid breaking downstream projects. The v1.3.0 changelog is reproduced below.

What's Changed

• Add Concurrent.usable_processor_count that is cgroups aware by @casperisfine in #1038
• Align Java Executor Service behavior for shuttingdown?, shutdown? by @bensheldon in #1042

New Contributors

• @dependabot made their first contribution in #1028
• @kkohrt made their first contribution in #1037

Full Changelog: v1.2.3...v1.3.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.14.1 → 1.14.5) · Repo · Changelog

Release Notes

1.14.5

What's Changed

• Explicitly bundle racc gem for Ruby 3.3+ by @amatsuda in #690
• Optimize I18n::Locale::Fallbacks#[] for recursive locale mappings by @uiur in #692
• Add I18n.interpolation_keys by @tom-lord in #682
• Fix syntax in documentation for I18n::Backend::Base.interpolate by @tom-lord in #691
• Fix that escaped interpolations with reserved keywords raised ReservedInterpolationKey by @Bilka2 in #688

New Contributors

• @uiur made their first contribution in #692
• @tom-lord made their first contribution in #682
• @Bilka2 made their first contribution in #688

Full Changelog: v1.14.4...v1.14.5

1.14.4

What's Changed

Note: the racc dependency will be coming back in Version 2.

• undo strict racc dependency on this branch by @radar in #687

Full Changelog: v1.14.3...v1.14.4

1.14.3

What's Changed

• Pass options to along to exists? super calls by @radar in #671
• Improve TOKENIZER by 23% by @kbrock in #668
• Regex part deux - INTERPOLATION_SYNTAX by @kbrock in #669
• Raise when translated entry contains interpolations for reserved keywords and no substitutions provided by @fatkodima in #678
• Implement Fallbacks#inspect and Fallbacks#empty? by @fatkodima in #683

Upkeep

• Update mocha gem by @fatkodima in #677
• Update workflows by @yykamei in #684

New Contributors

• @kbrock made their first contribution in #668

Full Changelog: v1.14.1...v1.14.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ marcel (indirect, 1.0.2 → 1.0.4) · Repo

Release Notes

1.0.4

What's Changed

• Regression fix: binary declared type should fall back to filename extension type by @jeremy in #99

Full Changelog: v1.0.3...v1.0.4

1.0.3

What's Changed

• Prefer audio/ogg instead of audio/vorbis by @gmcgibbon in #65
• Suppress warning by @wonda-tea-coffee in #69
• Add explanation of MimeType.for's handling of argument types by @elebow in #68
• tables.rb: Generate UTF-8 strings when possible. by @casperisfine in #70
• Remove comment strings from Tables::TYPE by @casperisfine in #71
• Store MIME parents in a distinct Hash by @casperisfine in #72
• Fix magic detection for HTML with <svg by @ursm in #74
• Update gem name in Gemfile by @elebow in #88
• Move to GitHub Actions by @hahmed in #82
• Add note in README how to extend detection of custom file types by @vipulnsward in #93
• Fix Illustrator detection as application/pdf instead of application/illustrator by @jeremy in #94

New Contributors

• @wonda-tea-coffee made their first contribution in #69
• @elebow made their first contribution in #68
• @casperisfine made their first contribution in #70
• @ursm made their first contribution in #74
• @hahmed made their first contribution in #82
• @vipulnsward made their first contribution in #93
• @jeremy made their first contribution in #94

Full Changelog: v1.0.2...v1.0.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ method_source (indirect, 1.0.0 → 1.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.8.6 → 2.8.7) · Repo · Changelog

Release Notes

2.8.7

2.8.7 / 2024-05-31

Added

• When setting the C compiler through the MiniPortile constructor, the preferred keyword argument is now :cc_command. The original :gcc_command is still supported. (#144 by @flavorjones)
• Add support for extracting xz-compressed tarballs on OpenBSD. (#141 by @postmodern)
• Add OpenBSD support to the experimental method MakeMakefile#mkmf_config. (#141 by @flavorjones)

Changed

• MiniPortileCMake now detects the C and C++ compiler the same way MiniPortile does: by examining environment variables, then using kwargs, then looking in RbConfig (in that order). (#144 by @flavorjones)
• GPG file verification error messages are captured in the raised exception. Previously these errors went to stderr. (#145 by @flavorjones)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.22.2 → 5.23.1) · Repo · Changelog

Release Notes

5.23.1 (from changelog)

• 1 bug fix:

  • Fully qualify the Queue class to avoid conflicts with other libraries. (rafaelfranca)

5.23.0 (from changelog)

• 3 minor enhancements:

  • Added -Werror to raise on any warning output. (byroot)

  • Added UnexpectedWarning as a failure summary type, added count to output if activated.

  • Added minitest/manual_plugins.rb w/ new Minitest.load method. (tenderlove)

• 2 bug fixes:

  • Allow empty_run! and reporter to display summary for empty runs. (zzak)

  • Make test task verbose using either rake’s -v or -t (was just -t).

5.22.3 (from changelog)

• 1 minor enhancement:

  • MASSIVE improvement of minitest’s pride plugin output: Frequencies doubled! Sine waves shifted!! Comments improved!!! Colors rotated!!!! (havenwood)

• 3 bug fixes:

  • Improved wording on Minitest::Test#parallelize_me! to clarify it goes INSIDE your test class/describe.

  • Minor changes to tests to pass when tests ran with extra flags (eg -p).

  • Support Ruby 3.4’s new error message format. (mame)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ net-imap (indirect, 0.4.10 → 0.4.12) · Repo

Release Notes

0.4.12

What's Changed

• 📚 Fix many rdoc spelling mistakes by @nevans in #279
• 📦 Update workflow with configure_trusted_publisher by @nevans in #280
• 🔍 Simplify handling of ResponseParser test failures by @nevans in #281
• ⬆️ Bump step-security/harden-runner from 2.7.1 to 2.8.0 by @dependabot in #289
• Clarify the license of net-imap by @shugo in #275

Full Changelog: v0.4.11...v0.4.12

0.4.11

What's Changed

Server workarounds

• Consider extra empty space in BODYSTRUCTURE by @gaynetdinov in #271

Miscellaneous

• 🐛 Fix parser benchmarks generation by @nevans in #266
• ✅ Add basic test for SEARCH / UID SEARCH command by @nevans in #267
• 📧 Update gem email address and git mailmap by @nevans in #264
• ✅ Update Github test workflow name by @nevans in #268
• ⬆️ Bump actions/configure-pages from 4 to 5 by @dependabot in #270
• 🔧🔒 Configure RubyGems Trusted Publishing by @nevans in #265

New Contributors

• @gaynetdinov made their first contribution in #271

Full Changelog: v0.4.10...v0.4.11

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ net-smtp (indirect, 0.4.0.1 → 0.5.0) · Repo · Changelog

Release Notes

0.5.0

What's Changed

• Allow case-insensitive strings for SASL mechanism by @nevans in #64
• Remove unused private auth_method by @nevans in #67
• Delegate checking auth args to the authenticator by @nevans in #73
• Make #auth_capable? public by @nevans in #63
• Updated docs, especially TLS and SASL-related by @nevans in #66
• Renew test certificates by @sorah in #75
• Fix version extraction to work with non ASCII characters with any LANG by @kateinoigakukun in #76
• Replace non-ASCII EM DASH (U+2014) with ASCII hyphen (U+002D) by @kateinoigakukun in #78
• Use reusing workflow for Ruby versions by @m-nakamura145 in #79
• Add XOAUTH2 authenticator by @mantas in #80
• Make the test suite compatible with --enable-frozen-string-literal by @casperisfine in #81
• version 0.5.0 by @tmtm in #82

New Contributors

• @sorah made their first contribution in #75
• @kateinoigakukun made their first contribution in #76
• @m-nakamura145 made their first contribution in #79
• @mantas made their first contribution in #80
• @casperisfine made their first contribution in #81

Full Changelog: v0.4.0.1...v0.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.7.1 → 2.7.3) · Repo · Changelog

Release Notes

2.7.2 (from changelog)

• Modernize gem (list all authors, etc).
• Drop official support for Ruby 2.4.
• Fix JRuby release version.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ racc (indirect, 1.7.3 → 1.8.0) · Repo · Changelog

Release Notes

1.8.0

What's Changed

• Generate jar to build gem by @nobu in #255
• Fix trivial typos by @ydah in #257
• Try to fix test failure with Ruby 3.3 by @hsbt in #260
• Reformat the rdoc so it renders correctly both locally and on github. by @zenspider in #258
• Allow racc cmdline to read from stdin if no path specified. by @zenspider in #259
• Add more grammars by @nurse in #222
• Exclude 2.5 on macos-latest by @nobu in #263
• Drop code for Ruby 1.6 by @nobu in #264
• Refactor command line options by @nobu in #265
• Change encode EUC-JP to UTF-8 by @ydah in #267
• Organize README.ja.rdoc by @ydah in #266
• Support error_on_expect_mismatch declaration in Racc grammar file by @yui-knk in #262
• Bump up v1.8.0 by @yui-knk in #268

New Contributors

• @ydah made their first contribution in #257
• @nurse made their first contribution in #222

Full Changelog: v1.7.3...v1.8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 2.2.8.1 → 2.2.9) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 7.0.8.1 → 7.0.8.4) · Repo · Changelog

Release Notes

7.0.8.4 (from changelog)

• No changes.

7.0.8.3 (from changelog)

• No changes.

7.0.8.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 13.1.0 → 13.2.1) · Repo · Changelog

Release Notes

13.2.1

What's Changed

• Suppressed "internal:array:52:in 'Array#each'" from backtrace by @hsbt in #554
• Bump actions/configure-pages from 4 to 5 by @dependabot in #553

Full Changelog: v13.2.0...v13.2.1

13.2.0

What's Changed

• Fix rule example to be correct by @zenspider in #525
• Switch to use test-unit by @hsbt in #536
• Removed redundant block by @hsbt in #537
• Use Struct instead of OpenStruct. by @hsbt in #545
• Accept FileList object as directory task's target by @gemmaro in #530
• Fix exception when exception has nil backtrace by @janbiedermann in #451
• Add TruffleRuby on CI by @andrykonchin in #551

New Contributors

• @zenspider made their first contribution in #525
• @gemmaro made their first contribution in #530
• @janbiedermann made their first contribution in #451
• @andrykonchin made their first contribution in #551

Full Changelog: v13.1.0...v13.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 1.3.0 → 1.3.1) · Repo · Changelog

Release Notes

1.3.1

What's Changed

• Preserve Correct Indentation When Uncommenting Lines by @viktorianer in #873
• Document the '--skip-' option for boolean options. by @andrewn617 in #876

New Contributors

• @takmar made their first contribution in #865
• @m-nakamura145 made their first contribution in #866
• @cprodhomme made their first contribution in #863
• @ancao90 made their first contribution in #872
• @viktorianer made their first contribution in #873
• @andrewn617 made their first contribution in #876

Full Changelog: v1.3.0...v1.3.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.6.13 → 2.6.15) · Repo · Changelog

Release Notes

2.6.15 (from changelog)

• Internal improvements.

2.6.14 (from changelog)

• Implements Zeitwerk::Loader#all_expected_cpaths, which returns a hash that maps the absolute paths of the files and directories managed by the receiver to their expected constant paths.

  Please, check its documentation for further details.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)