From 1c11688b5624394c3792d1bb37599fd1e3452c9c Mon Sep 17 00:00:00 2001 From: Gannon McGibbon Date: Tue, 6 Nov 2018 14:17:23 -0500 Subject: [PATCH] Add CVE note to security guide and gemspecs [ci skip] --- actioncable/actioncable.gemspec | 3 +++ actionmailer/actionmailer.gemspec | 3 +++ actionpack/actionpack.gemspec | 3 +++ actionview/actionview.gemspec | 3 +++ activejob/activejob.gemspec | 3 +++ activemodel/activemodel.gemspec | 3 +++ activerecord/activerecord.gemspec | 3 +++ activestorage/activestorage.gemspec | 3 +++ activesupport/activesupport.gemspec | 3 +++ guides/source/security.md | 5 +++++ railties/railties.gemspec | 3 +++ 11 files changed, 35 insertions(+) diff --git a/actioncable/actioncable.gemspec b/actioncable/actioncable.gemspec index 137fa64431..f4af0330d7 100644 --- a/actioncable/actioncable.gemspec +++ b/actioncable/actioncable.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "actioncable" diff --git a/actionmailer/actionmailer.gemspec b/actionmailer/actionmailer.gemspec index f2fb160bdd..efcdcf019a 100644 --- a/actionmailer/actionmailer.gemspec +++ b/actionmailer/actionmailer.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "actionmailer" diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec index 1dc8abf746..4b9c729955 100644 --- a/actionpack/actionpack.gemspec +++ b/actionpack/actionpack.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "actionpack" diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec index 49ee1a292b..938d8b4b90 100644 --- a/actionview/actionview.gemspec +++ b/actionview/actionview.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "actionview" diff --git a/activejob/activejob.gemspec b/activejob/activejob.gemspec index be6292f737..cc27deb338 100644 --- a/activejob/activejob.gemspec +++ b/activejob/activejob.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "activejob" diff --git a/activemodel/activemodel.gemspec b/activemodel/activemodel.gemspec index 7be466dc4c..22ca37071c 100644 --- a/activemodel/activemodel.gemspec +++ b/activemodel/activemodel.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "activemodel" diff --git a/activerecord/activerecord.gemspec b/activerecord/activerecord.gemspec index a857d00c05..2c049f21ea 100644 --- a/activerecord/activerecord.gemspec +++ b/activerecord/activerecord.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "activerecord" diff --git a/activestorage/activestorage.gemspec b/activestorage/activestorage.gemspec index cb1bb00a25..0b879e270c 100644 --- a/activestorage/activestorage.gemspec +++ b/activestorage/activestorage.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "activestorage" diff --git a/activesupport/activesupport.gemspec b/activesupport/activesupport.gemspec index aa695c98b2..75b38f3552 100644 --- a/activesupport/activesupport.gemspec +++ b/activesupport/activesupport.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "activesupport" diff --git a/guides/source/security.md b/guides/source/security.md index bb996cc39c..66b922ea35 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -1235,6 +1235,11 @@ version: Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank ``` +Dependency Management and CVEs +------------------------------ + +Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies. + Additional Resources -------------------- diff --git a/railties/railties.gemspec b/railties/railties.gemspec index 6fdb4648c2..98155a35e3 100644 --- a/railties/railties.gemspec +++ b/railties/railties.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "railties"