Specially crafted requests can be used to access files that exist on
the filesystem that is outside an application's root directory, when the
Sprockets server is used in production.
All users running an affected release should either upgrade or use one of the work arounds immediately.
Workaround:
In Rails applications, work around this issue, set config.assets.compile = false and config.public_file_server.enabled = true in an initializer and precompile the assets.
This work around will not be possible in all hosting environments and upgrading is advised.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
We've updated a dependency and here is what you need to know:
name
version specification
old version
new version
sprockets
indirect dependency
3.7.1
3.7.2
Additionally, the update changed a few other dependencies as well:
action
name
old version
new version
updated
rack
2.0.3
2.0.5
You should probably take a good look at the info here and the test results before merging this pull request, of course.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
🚨 Your version of sprockets has known security vulnerabilities 🚨
Advisory: CVE-2018-3760 Disclosed: June 19, 2018 URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Path Traversal in Sprockets
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
We've updated a dependency and here is what you need to know:
Additionally, the update changed a few other dependencies as well:
You should probably take a good look at the info here and the test results before merging this pull request, of course.
What changed?
↗️ sprockets (indirect, 3.7.1 → 3.7.2) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 5 commits:
v3.7.2Do not respond to http requests asking for a `file://`Make sure find_sources behaves in the same way when the assets don'tMerge pull request #487 from mcfiredrill/patch-1typo in deprecation message↗️ rack (indirect, 2.0.3 → 2.0.5) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 14 commits:
Bump version for releaseMerge pull request #1268 from eileencodes/forwardport-pr-1249-to-2-0-stableMerge pull request #1249 from mclark/handle-invalid-method-parametersStick with a passing version of Rubygems and bundlerLeahizeBumping versionwebrick: remove concurrent-ruby dev dependencyMerge pull request #1190 from hugoabonizio/masterMerge pull request #1193 from tompng/multipart_less_memoryMerge pull request #1192 from jkowens/masterMerge pull request #1179 from tompng/masterMerge pull request #1151 from cremno/simplify-some-string-creationsMerge pull request #1189 from lugray/fix_rack_lockRequire the right file for the digest we're usingDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.