Update aws-sdk-s3 from 1.205.0 to v1.208.0 (#143)

Resolves CVE-2025-14762

## Summary

S3 Encryption Client for Ruby is an open-source client-side encryption
library used to facilitate writing and reading encrypted records to S3.

When the encrypted data key (EDK) is stored in an "Instruction File"
instead of S3's metadata record, the EDK is exposed to an "Invisible
Salamanders" attack (https://eprint.iacr.org/2019/016), which could
allow the EDK to be replaced with a new key.

## Impact

### Background - Key Commitment

There is a cryptographic property whereby under certain conditions, a
single ciphertext can be decrypted into 2 different plaintexts by using
different encryption keys. To address this issue, strong encryption
schemes use what is known as "key commitment", a process by which an
encrypted message can only be decrypted by one key; the key used to
originally encrypt the message.

In older versions of S3EC, when customers are also using a feature
called "Instruction File" to store EDKs, key commitment is not
implemented because multiple EDKs could be associated to an underlying
encrypted message object. For such customers an attack that leverages
the lack of key commitment is possible. A bad actor would need two
things to leverage this issue: (i) the ability to create a separate,
rogue, EDK that will also decrypt the underlying object to produce
desired plaintext, and (ii) permission to upload a new instruction file
to the S3 bucket to replace the existing instruction file placed there
by the user using the S3C. Any future attempt to decrypt the underlying
encrypted message with the S3EC will unwittingly use the rogue EDK to
produce a valid plaintext message.

Impacted versions: <= 1.207.0

## Patches

We are introducing the concept of "key commitment" to S3EC where the EDK
is cryptographically bound to the ciphertext in order to address this
issue. In order to maintain compatibility for in-flight messages we are
releasing the fix in two versions. A code-compatible minor version that
can read messages with key-commitment but not write them, and a new
major version that can both read and write messages with key-commitment.
For maximum safety customers are asked to upgrade to the latest major
version: 1.208.0 or later.

Workarounds

There are no workarounds, please upgrade to the suggested version of
S3EC.

References

If customers have any questions or comments about this advisory, AWS SDK
for Ruby asks that they contact AWS Security via the issue reporting
page or directly via email to
[aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not
create a public GitHub issue.

---

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

template/{{app_name}}/Gemfile.lock

@@ -84,28 +84,28 @@ GEM
       public_suffix (>= 2.0.2, < 7.0)
     ast (2.4.3)
     aws-eventstream (1.4.0)
-    aws-partitions (1.1186.0)
+    aws-partitions (1.1197.0)
     aws-sdk-cognitoidentityprovider (1.131.0)
       aws-sdk-core (~> 3, >= 3.234.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-core (3.239.0)
+    aws-sdk-core (3.240.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
       base64
       bigdecimal
       jmespath (~> 1, >= 1.6.1)
       logger
-    aws-sdk-kms (1.117.0)
-      aws-sdk-core (~> 3, >= 3.234.0)
+    aws-sdk-kms (1.118.0)
+      aws-sdk-core (~> 3, >= 3.239.1)
       aws-sigv4 (~> 1.5)
     aws-sdk-rails (5.1.0)
       aws-sdk-core (~> 3)
       railties (>= 7.1.0)
     aws-sdk-rds (1.284.0)
       aws-sdk-core (~> 3, >= 3.227.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.205.0)
+    aws-sdk-s3 (1.208.0)
       aws-sdk-core (~> 3, >= 3.234.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)