Skip to content

Update patched versions to include 7.1.5 for CVE-2024-47889, CVE-2024-47888, CVE-2024-47887, CVE-2024-41128 #833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 31, 2024
Merged

Update patched versions to include 7.1.5 for CVE-2024-47889, CVE-2024-47888, CVE-2024-47887, CVE-2024-41128 #833

merged 1 commit into from
Oct 31, 2024

Conversation

@totus
Copy link
Contributor

@totus totus commented Oct 31, 2024
edited
Loading

With new version of Rails (7.1.5), false alarms are now ringing bells because of too restrictive version specified in the "patched versions" section of affected gems.
The change updates the version range, so that 7.1.5 doesn't fail the validation.

Failures with the existing version range:

Name: actionmailer
Version: 7.1.5
CVE: CVE-2024-47889
GHSA: GHSA-h47h-mwp9-c6q6
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
Title: Possible ReDoS vulnerability in block_format in Action Mailer
Solution: update to '~> 6.1.7.9', '~> 7.0.8.5', '~> 7.1.4.1', '>= 7.2.1.1'

Name: actionpack
Version: 7.1.5
CVE: CVE-2024-41128
GHSA: GHSA-x76w-6vjr-8xgj
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
Title: Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
Solution: update to '~> 6.1.7.9', '~> 7.0.8.5', '~> 7.1.4.1', '>= 7.2.1.1'

Name: actionpack
Version: 7.1.5
CVE: CVE-2024-47887
GHSA: GHSA-vfg9-r3fq-jvx4
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
Title: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
Solution: update to '~> 6.1.7.9', '~> 7.0.8.5', '~> 7.1.4.1', '>= 7.2.1.1'

Name: actiontext
Version: 7.1.5
CVE: CVE-2024-47888
GHSA: GHSA-wwhv-wxv9-rpgw
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
Title: Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
Solution: update to '~> 6.1.7.9', '~> 7.0.8.5', '~> 7.1.4.1', '>= 7.2.1.1'

@totus
Copy link
Contributor Author

totus commented Oct 31, 2024

@postmodern, @reedloden - please review.

@totus totus changed the title Update rails-related advisories' patched versions to include 7.1.5, which incorporates 7.1.4.1 changes Update patched versions to include 7.1.5 for CVE-2024-47889, CVE-2024-47888, CVE-2024-47887, CVE-2024-41128 Oct 31, 2024
@postmodern postmodern merged commit 88eefea into rubysec:master Oct 31, 2024
1 check passed
@postmodern
Copy link
Member

postmodern commented Oct 31, 2024

Made a minor change to the version constraints in d6a9089. Should be the same though.

@totus totus deleted the oa-rails-7-1-5-update branch October 31, 2024 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@totus @postmodern