Specially crafted requests can be used to access files that exist on
the filesystem that is outside an application's root directory, when the
Sprockets server is used in production.
All users running an affected release should either upgrade or use one of the work arounds immediately.
Workaround:
In Rails applications, work around this issue, set config.assets.compile = false and config.public_file_server.enabled = true in an initializer and precompile the assets.
This work around will not be possible in all hosting environments and upgrading is advised.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
We've updated a dependency and here is what you need to know:
name
version specification
old version
new version
sprockets
indirect dependency
3.7.1
3.7.2
Additionally, the update changed a few other dependencies as well:
action
name
old version
new version
updated
rack
2.0.3
2.0.5
You should probably take a good look at the info here and the test results before merging this pull request, of course.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
🚨 Your version of sprockets has known security vulnerabilities 🚨
Advisory: CVE-2018-3760 Disclosed: June 19, 2018 URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Path Traversal in Sprockets
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
We've updated a dependency and here is what you need to know:
Additionally, the update changed a few other dependencies as well:
You should probably take a good look at the info here and the test results before merging this pull request, of course.
What changed?
↗️ sprockets (indirect, 3.7.1 → 3.7.2) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 5 commits:
v3.7.2
Do not respond to http requests asking for a `file://`
Make sure find_sources behaves in the same way when the assets don't
Merge pull request #487 from mcfiredrill/patch-1
typo in deprecation message
↗️ rack (indirect, 2.0.3 → 2.0.5) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 14 commits:
Bump version for release
Merge pull request #1268 from eileencodes/forwardport-pr-1249-to-2-0-stable
Merge pull request #1249 from mclark/handle-invalid-method-parameters
Stick with a passing version of Rubygems and bundler
Leahize
Bumping version
webrick: remove concurrent-ruby dev dependency
Merge pull request #1190 from hugoabonizio/master
Merge pull request #1193 from tompng/multipart_less_memory
Merge pull request #1192 from jkowens/master
Merge pull request #1179 from tompng/master
Merge pull request #1151 from cremno/simplify-some-string-creations
Merge pull request #1189 from lugray/fix_rack_lock
Require the right file for the digest we're using
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.