search

EventideSystems / tool_for_systemic_change

GNU Affero General Public License v3.0
3 stars 0 forks source link

Resolve CVEs / security vulnerabilities [August 2023] #892

Closed ferrisoxide closed 1 year ago

ferrisoxide commented 1 year ago

Describe the task

Cumulative security patch required for the Wicked Lab app.

Patch vulnerabilities and release an update.

Additional Notes

Reported CVEs

Name: activesupport
Version: 7.0.5.1
CVE: CVE-2023-38037
GHSA: GHSA-cr5q-6q9f-rq6q
Criticality: Unknown
URL: https://github.com/rails/rails/releases/tag/v7.0.7.1
Title: Possible File Disclosure of Locally Encrypted Files
Solution: upgrade to '~> 6.1.7, >= 6.1.7.5', '>= 7.0.7.1'

Name: puma
Version: 5.6.5
CVE: CVE-2023-40175
GHSA: GHSA-68xg-gqqm-vgj8
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8
Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma
Solution: upgrade to '~> 5.6.7', '>= 6.3.1'

Name: uri
Version: 0.12.1
CVE: CVE-2023-36617
GHSA: GHSA-hww2-5g85-429m
Criticality: Medium
URL: https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
Title: ReDoS vulnerability in URI
Solution: upgrade to '~> 0.10.0.3', '~> 0.10.3', '~> 0.11.2', '>= 0.12.2'

Vulnerabilities found!
ferrisoxide commented 1 year ago

DEV NOTE

Post-patch, executed bundle audit --update. Results:

Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
  advisories:   804 advisories
  last updated: 2023-08-26 05:18:27 -0700
  commit:       4c7e82e53da8a025ba75c934d19092282fd53b11
No vulnerabilities found
ferrisoxide commented 1 year ago

@emily-humphreys @SishaMish This is on staging and ready for a smoke test. If no-one has a chance I'll test it myself this morning and then apply the patch to production.

ferrisoxide commented 1 year ago

@emily-humphreys @SishaMish I've run a basic smoke test (creating new transition cards, updating checklist items, running reports). I'm comfortable that the system is running correctly and am about to apply the security patch to production (I've tested the same patch in other applications).

Closing.

emily-humphreys commented 1 year ago

Thank you!

Just need to check importing as well which I’ll do today

Thanks 🙏

On Sun, 27 Aug 2023 at 9:38 am, Tom Tuddenham @.***> wrote:

@emily-humphreys https://github.com/emily-humphreys @SishaMish https://github.com/SishaMish I've run a basic smoke test (creating new transition cards, updating checklist items, running reports). I'm comfortable that the system is running correctly and am about to apply the security patch to production (I've tested the same patch in other applications).

Closing.

— Reply to this email directly, view it on GitHub https://github.com/ferrisoxide/wicked_software/issues/892#issuecomment-1694527862, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADFVZOS5ZC3HOTA6I2233H3XXKFZRANCNFSM6AAAAAA3737NHA . You are receiving this because you were mentioned.Message ID: @.***>