🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.
Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
To work around this issue, you can set your umask to be more restrictive like this:
$ umask0077
Release Notes
6.1.7.5 (from changelog)
Use a temporary file for storing unencrypted files while editing
Fixed a typo in a HTML5 parser error message. [#2927] (Thanks, @anishathalye!)
[CRuby] ObjectSpace.memsize_of is now safe to call on Documents with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ rails (6.1.7.4 → 6.1.7.6) · Repo
Release Notes
6.1.7.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ actioncable (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ actionmailbox (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
↗️ actionmailer (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ actionpack (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ actiontext (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ actionview (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ activejob (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ activemodel (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ activerecord (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ activestorage (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ activesupport (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Security Advisories 🚨
🚨 Possible File Disclosure of Locally Encrypted Files
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ mini_mime (indirect, 1.1.2 → 1.1.5) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 13 commits:
Update mime types from upstream and bumpVersion bumpHandle MIME::Types differences on WindowsShim IO#pread when not supportedVersion bumpMake the library fork safe and drop the mutexDB updates 2023-03-01T10:03:17Z (#49)Adds Ruby 3.2 to the CI matrix. Requires Ruby >= 2.6. (#48)DEV: Require ruby >= 2.5 (#46)DEV: Update gem description to match repo desc (#47)DB updates 2022-01-06T11:58:07Z (#45)Update CI config (#42)Add Ruby 3.0 to CI (#40)↗️ minitest (indirect, 5.18.1 → 5.19.0) · Repo · Changelog
Release Notes
5.19.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
prepped for release+ Add metadata lazy accessor to Runnable / Result. (matteeyah)- Minitest::TestTask enthusiastically added itself to default. (ParadoxV5)+ Only load minitest/unit (aka ancient MiniTest compatibility layer) if ENV["MT_COMPAT"]Replace 'MiniTest' with 'Minitest' in example code. (sambostock)↗️ net-imap (indirect, 0.3.6 → 0.3.7) · Repo
Release Notes
0.3.7
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 6 commits:
🏷️ Bump version to 0.3.7🔀 Merge pull request #161 from ruby/backport-digest_md5-bad-challenge✅ Mark assert_linear_performance test as pendingRemove nested quantifierFix `NoMethodError` when "qop" is not presentAdd test for bad challenge↗️ nokogiri (indirect, 1.15.3 → 1.15.4) · Repo · Changelog
Release Notes
1.15.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 9 commits:
version bump to v1.15.4backport updates and fixes to v1.15.x (#2953)dep: update libxml2 to v2.11.5test: add coverage for the memsize_of bugfix memsize_node when called on xmlAttrsFix typoci: ruby-saml's downstream test suite needs minitest compatstyle: prefer Minitest to MiniTestci: update suppression stack signature↗️ rack (indirect, 2.2.7 → 2.2.8) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 7 commits:
Bump patch version.Regenerate SPEC (#2102)Fix inefficient assert pattern in Rack::Lint (#2101)Prefer ubuntu-latest for testing. (#2095)Update cookie.rb (#2092)adds missing 2.2.7 to CHANGELOG.md (#2081)Limit file extension length of multipart tempfiles (#2069) (#2075)↗️ rails-dom-testing (indirect, 2.1.1 → 2.2.0) · Repo
Release Notes
2.2.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 27 commits:
Prepare for 2.2.0:scissors:No need to wait rubocop to run testsTest with Rails edgeMerge pull request #110 from nicoco007/fix-substitution-regressionSpecial case Regexp instead of stringsFix string substitution regressionRemove constants from global namespaceMatch constant definition with the file nameInline CountDescribable moduleRemove unnecessary requiresSetup Active Support in a common place:scissors:Require railtie in the main fileMerge pull request #109 from flavorjones/flavorjones-dom-testing-html-versiondoc: update documentation to include HTML parser selectionfeat: railtie to set Rails::Dom::Testing.default_html_versionfeat: some assertions allow setting the HTML parser versionfeat: Introduce Rails::Dom::Testing.default_html_versionAdd .rdoc_options to make README the front page.Merge pull request #108 from flavorjones/flavorjones-rails-rubocop-standardsci: prepend a rubocop jobstyle: use require_relative where appropriatestyle(rubocop): unsafe autocorrectsstyle(rubocop): safe autocorrectsdev: import Rails rubocop config, set Ruby version to >=2.5dev: remove unnecessary development dependencies↗️ railties (indirect, 6.1.7.4 → 6.1.7.6) · Repo · Changelog
Release Notes
6.1.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Preparing for 6.1.7.6 releaseBumping version for new releasePreparing for 6.1.7.5 releasebumping version / changelogUse a temporary file for storing unencrypted files while editing↗️ zeitwerk (indirect, 2.6.9 → 2.6.11) · Repo · Changelog
Release Notes
2.6.11 (from changelog)
2.6.10 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 8 commits:
Ready for 2.6.11Let on_dir_autoloaded be reentrantUpdate code commentReady for 2.6.10Rename cpath_expected_at testsCentralize and improve camelize validationsRelax wording in CHANGELOGFixes typoDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands