Use bundler-audit

[Katee]

• Adds bundle-audit as a step for continuous integration.
• Uses https scheme instead of git to load judge-formtastic gem.
• Fixes including gems with the following CVEs:

Name: actionpack
Version: 4.1.7
Advisory: CVE-2014-7829
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
Title: Arbitrary file existence disclosure in Action Pack
Solution: upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8

Name: actionpack
Version: 4.1.7
Advisory: CVE-2015-7576
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Title: Timing attack vulnerability in basic authentication in Action Controller.
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Name: actionpack
Version: 4.1.7
Advisory: CVE-2015-7581
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
Title: Object leak vulnerability for wildcard controller routes in Action Pack
Solution: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Name: actionpack
Version: 4.1.7
Advisory: CVE-2016-0751
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Title: Possible Object Leak and Denial of Service attack in Action Pack
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Name: actionpack
Version: 4.1.7
Advisory: CVE-2016-2098
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
Title: Possible remote code execution vulnerability in Action Pack
Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14

Name: actionview
Version: 4.1.7
Advisory: CVE-2016-0752
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Title: Possible Information Leak Vulnerability in Action View
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Name: actionview
Version: 4.1.7
Advisory: CVE-2016-2097
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
Title: Possible Information Leak Vulnerability in Action View
Solution: upgrade to >= 4.1.14.2, ~> 4.1.14

Name: actionview
Version: 4.1.7
Advisory: CVE-2016-6316
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Title: Possible XSS Vulnerability in Action View
Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1

Name: activemodel
Version: 4.1.7
Advisory: CVE-2016-0753
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ
Title: Possible Input Validation Circumvention in Active Model
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Name: activerecord
Version: 4.1.7
Advisory: CVE-2015-7577
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Title: Nested attributes rejection proc bypass in Active Record
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Name: activesupport
Version: 4.1.7
Advisory: CVE-2015-3226
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
Title: XSS Vulnerability in ActiveSupport::JSON.encode
Solution: upgrade to >= 4.2.2, ~> 4.1.11

Name: activesupport
Version: 4.1.7
Advisory: CVE-2015-3227
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Title: Possible Denial of Service attack in Active Support
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

[ywwg]

I'm a little worried about doing a bundle update on the production server mid-flight on my own. Maybe we should arrange a time to get on chat so I can poke at it and make sure it goes smoothly?

Future dev work should happen in master, but first I need to create a stable prod branch that I can pull the server from. (the server has a private branch prod-2017 that pulls from ywwg/master. I'll repoint it to the new stable branch) All easy to do, just not doing it this second ;-).

[ywwg]

ps thanks for getting on this so quickly! much appreciated

[Katee]

I'm happy to help update the production server (and set up a staging one if you don't have one yet).

[ywwg]

ok I made a prod-2017 branch that we'll keep the big changes out of (and pull to the prod server from), so I can merge this

[ywwg]

see this is what I don't get, I do "bundle update" on my local install and I get: Warning: the running version of Bundler (1.13.2) is older than the version that created the lockfile (1.13.7). We suggest you upgrade to the latest version of Bundler by running gem install bundler.

but do I want to do that, or do I want to do sudo gem install bundler? When do I do stuff as sudo vs not? I'd prefer to do it the right way on the actual server

[Katee]

You probably want to update bundler using gem install bundler. Usually you don't want to run gem or bundler with sudo.

In this case it is probably okay to ignore that warning.

[ywwg]

then I get:

$ gem install bundler Fetching: bundler-1.14.6.gem (100%) ERROR: While executing gem ... (Gem::FilePermissionError) You don't have write permissions for the /var/lib/gems/2.3.0 directory.

Which makes sense to me, a regular user shouldn't be able to write to /var/lib

[ywwg]

I worry about upgrading stuff on the prod server if something like bundler is usually managed by a deb or rpm package

[Katee]

Oh, I'm not sure how you have things set up, I don't usually use the managed package. I use rbenv on my machine to handle multiple versions of ruby.

On Sun, Mar 26, 2017 at 6:41 PM, Owen Williams notifications@github.com wrote:

I worry about upgrading stuff on the prod server if something like bundler is usually managed by a deb or rpm package

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ywwg/ffagc/pull/60#issuecomment-289322462, or mute the thread https://github.com/notifications/unsubscribe-auth/AAE4xewMNSlZIi4TKWWdib-QoTFh1hItks5rpumpgaJpZM4MnkjV .

-- http://kate.io @kategeek https://twitter.com/kategeek Signal: +1 416 556 4203 Google Voice: +1 941 999 1337

[ywwg]

I followed only the finest tutorials on stackoverflow, sometimes multiple simultaneously

[ywwg]

:sob: