search

SUSE / rmt

RPM repository mirroring tool and registration proxy for SUSE Customer Center.
Other
37 stars 46 forks source link

🚨 [security] Update railties 6.1.7.7 → 6.1.7.8 (patch) #1166

Closed depfu[bot] closed 4 weeks ago

depfu[bot] commented 1 month ago

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ railties (6.1.7.7 → 6.1.7.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

✳️ actionpack (6.1.7.7 → 6.1.7.8) · Repo · Changelog

Security Advisories 🚨

🚨 Missing security headers in Action Pack on non-HTML responses

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses
with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0
Not affected: < 6.1.0
Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the supported release series in accordance with our
maintenance policy
regarding security issues. They are in git-am format and consist of a
single changeset.

  • 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
  • 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
  • 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

Commits

See the full diff on Github. The new version differs by 4 commits:

✳️ actionview (6.1.7.7 → 6.1.7.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

✳️ activemodel (6.1.7.7 → 6.1.7.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

✳️ activerecord (6.1.7.7 → 6.1.7.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

✳️ activesupport (6.1.7.7 → 6.1.7.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ concurrent-ruby (indirect, 1.2.3 → 1.3.1) · Repo · Changelog

Release Notes

1.3.1

This release is essentially v1.3.0, but with a properly packaged gem. There was an issue publishing v1.3.0 and that gem needed to be yanked to avoid breaking downstream projects. The v1.3.0 changelog is reproduced below.

What's Changed

  • Add Concurrent.usable_processor_count that is cgroups aware by @casperisfine in #1038
  • Align Java Executor Service behavior for shuttingdown?, shutdown? by @bensheldon in #1042

New Contributors

Full Changelog: v1.2.3...v1.3.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

↗️ i18n (indirect, 1.14.1 → 1.14.5) · Repo · Changelog

Release Notes

1.14.5

What's Changed

  • Explicitly bundle racc gem for Ruby 3.3+ by @amatsuda in #690
  • Optimize I18n::Locale::Fallbacks#[] for recursive locale mappings by @uiur in #692
  • Add I18n.interpolation_keys by @tom-lord in #682
  • Fix syntax in documentation for I18n::Backend::Base.interpolate by @tom-lord in #691
  • Fix that escaped interpolations with reserved keywords raised ReservedInterpolationKey by @Bilka2 in #688

New Contributors

Full Changelog: v1.14.4...v1.14.5

1.14.4

What's Changed

Note: the racc dependency will be coming back in Version 2.

  • undo strict racc dependency on this branch by @radar in #687

Full Changelog: v1.14.3...v1.14.4

1.14.3

What's Changed

  • Pass options to along to exists? super calls by @radar in #671
  • Improve TOKENIZER by 23% by @kbrock in #668
  • Regex part deux - INTERPOLATION_SYNTAX by @kbrock in #669
  • Raise when translated entry contains interpolations for reserved keywords and no substitutions provided by @fatkodima in #678
  • Implement Fallbacks#inspect and Fallbacks#empty? by @fatkodima in #683

Upkeep

New Contributors

Full Changelog: v1.14.1...v1.14.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 47 commits:

↗️ method_source (indirect, 1.0.0 → 1.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 11 commits:

↗️ racc (indirect, 1.7.3 → 1.8.0) · Repo · Changelog

Release Notes

1.8.0

What's Changed

  • Generate jar to build gem by @nobu in #255
  • Fix trivial typos by @ydah in #257
  • Try to fix test failure with Ruby 3.3 by @hsbt in #260
  • Reformat the rdoc so it renders correctly both locally and on github. by @zenspider in #258
  • Allow racc cmdline to read from stdin if no path specified. by @zenspider in #259
  • Add more grammars by @nurse in #222
  • Exclude 2.5 on macos-latest by @nobu in #263
  • Drop code for Ruby 1.6 by @nobu in #264
  • Refactor command line options by @nobu in #265
  • Change encode EUC-JP to UTF-8 by @ydah in #267
  • Organize README.ja.rdoc by @ydah in #266
  • Support error_on_expect_mismatch declaration in Racc grammar file by @yui-knk in #262
  • Bump up v1.8.0 by @yui-knk in #268

New Contributors

Full Changelog: v1.7.3...v1.8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

↗️ rack (indirect, 2.2.8.1 → 2.2.9) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ rake (indirect, 13.1.0 → 13.2.1) · Repo · Changelog

Release Notes

13.2.1

What's Changed

  • Suppressed "internal:array:52:in 'Array#each'" from backtrace by @hsbt in #554
  • Bump actions/configure-pages from 4 to 5 by @dependabot in #553

Full Changelog: v13.2.0...v13.2.1

13.2.0

What's Changed

New Contributors

Full Changelog: v13.1.0...v13.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 60 commits:

↗️ zeitwerk (indirect, 2.6.13 → 2.6.15) · Repo · Changelog

Release Notes

2.6.15 (from changelog)

  • Internal improvements.

2.6.14 (from changelog)

  • Implements Zeitwerk::Loader#all_expected_cpaths, which returns a hash that maps the absolute paths of the files and directories managed by the receiver to their expected constant paths.

    Please, check its documentation for further details.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)