chore(deps): update dependency bundler to v4 [security]#36
Open
sc-renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency bundler to v4 [security]#36sc-renovate[bot] wants to merge 1 commit into
sc-renovate[bot] wants to merge 1 commit into
Conversation
aeadb06 to
2cc6f21
Compare
2cc6f21 to
2b9747e
Compare
2b9747e to
5c5426d
Compare
5c5426d to
a909b8c
Compare
123ab3b to
a7d3b88
Compare
1241ad0 to
6dcbe71
Compare
f681375 to
899597f
Compare
7fe9238 to
45f4ee6
Compare
45f4ee6 to
1e4bc2a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
"~> 1.0"→"~> 4.0"GitHub Vulnerability Alerts
CVE-2019-3881
Bundler prior to 2.1.0 uses a predictable path in
/tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HCVE-2020-36327
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HCVE-2021-43809
In
bundlerversions before 2.2.33, when working with untrusted and apparently harmlessGemfile's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside theGemfileitself. However, if theGemfileincludesgementries that use thegitoption with invalid, but seemingly harmless, values with a leading dash, this can be false.To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as
git clone. These commands are being constructed using user input (e.g. the repository URL). When building thecommands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (
-) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables.Since this value comes from the
Gemfilefile, it can contain any character, including a leading dash.Exploitation
To exploit this vulnerability, an attacker has to craft a directory containing a
Gemfilefile that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of-u./payload. This URLwill be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as
bundle lock, inside.Impact
This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, as explained above, the exploitability is very low, because it requires a lot of user interaction. It still could put developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by manually reviewing the
Gemfile(although they would need the weird URL with a leading dash to not raise any flags).This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on.
Patches
Bundler 2.2.33 has patched this problem by inserting
--as an argument before any positional arguments to those Git commands that were affected by this issue.Workarounds
Regardless of whether users can upgrade or not, they should review any untrustred
Gemfile's before running anybundlercommands that may read them, since they can contain arbitrary ruby code.References
https://cwe.mitre.org/data/definitions/88.html
Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCVE-2016-7954
Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRelease Notes
ruby/rubygems (bundler)
v4.0.16Compare Source
Enhancements:
Bug fixes:
v4.0.15Compare Source
Enhancements:
Bug fixes:
v4.0.14Compare Source
Enhancements:
v4.0.13Compare Source
Enhancements:
v4.0.12Compare Source
Enhancements:
Bug fixes:
BUNDLE_VERSIONis "lockfile". Pull request #9545 by hsbtBUNDLE_VERSIONenv var inBundlerVersionFinder. Pull request #9538 by hsbtv4.0.11Compare Source
Enhancements:
gem spec. Pull request #9476 by eregonv4.0.10Compare Source
Enhancements:
Bug fixes:
v4.0.9Compare Source
Enhancements:
gem owner. Pull request #9403 by gjtorikianBug fixes:
Documentation:
v4.0.8Compare Source
Enhancements:
#9373 by hsbt
rubygems/request directly. Pull request
#9362 by afurm
Documentation:
#9372 by simi
v4.0.7Compare Source
Enhancements:
#9020 by hyuraku
#9312 by hsbt
Documentation:
#9321 by fxn
#9306 by tompng
v4.0.6Compare Source
Enhancements:
#9298 by hsbt
v4.0.5Compare Source
Enhancements:
#9266 by hsbt
#9257 by hsbt
Bug fixes:
#9246 by Edouard-chin
#9245 by JasonLunn
Documentation:
#9255 by hsbt
v4.0.4Compare Source
Enhancements:
#9232 by jeremyevans
Bug fixes:
#9242 by Edouard-chin
v4.0.3Compare Source
Enhancements:
Documentation:
#9208 by eileencodes
v4.0.2Compare Source
Enhancements:
BUNDLE_JOBSto RubyGems before compiling &introduce a new
gem install -jflag. Pull request#9171 by Edouard-chin
v4.0.1Compare Source
Enhancements:
Bug fixes:
v4.0.0Compare Source
Features:
Gem::Version.new(nil). Pull request#9086 by tenderlove
#9064 by baweaver
#9062 by baweaver
Performance:
MAKEFLAGS=-jby default before compiling. Pull request#9131 by Edouard-chin
#9017 by tenderlove
Gem.win_platform?out of a hot path. Pull request#8983 by tenderlove
#8974 by tenderlove
IO.copy_streamwith IO object directly. Pull request#8970 by tenderlove
IO.copy_stream. Pull request#8966 by tenderlove
#8965 by tenderlove
Enhancements:
#9089 by hsbt
Gem::Deprecate. Pull request#9090 by hsbt
install a gem. Pull request
#9066 by Edouard-chin
#9041 by tenderlove
Pull request #9050 by
jeremyevans
#8753 by cfis
#9022 by tenderlove
gem sources --prependand--appendallow finer grained control ofsources. Pull request #8901
by martinemde
gem sources --removeoutput. Pull request#8909 by deivid-rodriguez
gem sourcesoutput more clear. Pull request#8938 by deivid-rodriguez
request #8879 by ioquatix
#7709 by folbricht-stripe
#8854 by deivid-rodriguez
request #8846 by
deivid-rodriguez
Bug fixes:
#9135 by hsbt
BUNDLE_VERSIONconfig at Gem::BundlerVersionFinder. Pullrequest #9106 by hsbt
#8948 by deivid-rodriguez
gem sources --remove. Pullrequest #8939 by
deivid-rodriguez
Security:
#9031 by hsbt
Breaking changes:
-Coption from gem build. Pull request#9088 by hsbt
Pull request #9084 by hsbt
gem querycommand. Pull request#9083 by hsbt
request #9082 by hsbt
#9081 by hsbt
#9051 by tenderlove
--defaultoption from install command. Pull request#7588 by hsbt
compatibility.rbfor RG 4.0. Pull request#8899 by hsbt
Deprecations:
Gem::Specification#datadir. Pull request#8900 by hsbt
Documentation:
#9148 by hsbt
#9128 by hsbt
#9065 by nobu
#9012 by etiennebarrie
#8904 by hsbt
#8849 by deivid-rodriguez
#8848 by indirect
v2.7.2Compare Source
Enhancements:
gem sources --prependand--appendallow finer grained control ofsources. Pull request
#8901 by martinemde
gem sources --removeoutput. Pull request#8909 by
deivid-rodriguez
gem sourcesoutput more clear. Pull request#8938 by
deivid-rodriguez
#7709 by
folbricht-stripe
Bug fixes:
#8948 by
deivid-rodriguez
gem sources --remove. Pullrequest #8939 by
deivid-rodriguez
v2.7.1Compare Source
Enhancements:
#8854 by
deivid-rodriguez
request #8846 by
deivid-rodriguez
Documentation:
#8849 by
deivid-rodriguez
#8848 by indirect
v2.7.0Compare Source
Security:
#8831 by hsbt
Breaking changes:
request #8833 by
deivid-rodriguez
#8634 by segiddins
Enhancements:
#8829 by
github-actions[bot]
push_rubygemas a default scope forgem signincommand. Pullrequest #8672 by hsbt
#8731 by segiddins
gem install.Pull request #8751 by
segiddins
Bundler::GemHelperstoGem::Platform. Pull request#8703 by segiddins
Gem::Platformparses strings to a fix point. Pull request#8584 by segiddins
Bug fixes:
#8763 by rye-stripe
--bindir <foo>flag to gem install failing when<foo>is not inthe default GEM_HOME and its parent directory does not exist yet. Pull
request #8783 by larouxn
gem installsometimes compiling the wrong source files. Pullrequest #8764 by
deivid-rodriguez
ccacheorsccacheareused. Pull request #8521
by hsbt
gem pristinenot recompiling extensions sometimes. Pull request#8757 by
deivid-rodriguez
--prereleaseflag togem installsometimes not respected. Pullrequest #8648 by ntl
Documentation:
#8838 by djbender
#8822 by
deivid-rodriguez
#8812 by
deivid-rodriguez
#8711 by antoinem
v2.6.9Compare Source
Enhancements:
#8673 by unasuke
to visit. Pull request
#8663 by mperham
#8644 by
deivid-rodriguez
Performance:
#8640 by jeremyevans
Documentation:
#8638 by thatrobotdev
v2.6.8Compare Source
Enhancements:
v2.6.7Compare Source
Enhancements:
#8569 by
giacomobenedetti
3156192, to simplify reproduciblebuilds. Pull request
#8568 by duckinator
gem execraise an error in ambiguous cases. Pull request#8573 by
deivid-rodriguez
Performance:
#8565 by skipkayhil
v2.6.6Compare Source
Enhancements:
#8534 by hsbt
Bug fixes:
gem rdocnot working with newer versions of rdoc when notinstalled as default gems. Pull request
#8549 by
deivid-rodriguez
v2.6.5Compare Source
Enhancements:
Documentation:
gem serverfromgem help. Pull request#8507 by hsbt
v2.6.4Compare Source
Enhancements:
request #8449 by
deivid-rodriguez
Performance:
#8245 by segiddins
v2.6.3Compare Source
Enhancements:
gem env. Pull request#8375 by duckinator
#8387 by
github-actions[bot]
Bug fixes:
@licensesarray unmarshalling. Pull request#8411 by rykov
v2.6.2Compare Source
Security:
into a byte. Pull request
#8305 by segiddins
#8306 by segiddins
Enhancements:
#8340 by
deivid-rodriguez
Bug fixes:
@original_platformattribute. Pull request
#8355 by
deivid-rodriguez
v2.6.1Compare Source
Enhancements:
Bug fixes:
gem infotagging some non default gems as default. Pull request#8321 by
deivid-rodriguez
Documentation:
#8327 by st0012
v2.6.0Compare Source
Security:
#8307 by segiddins
Breaking changes:
#8091 by segiddins
Features:
#8239 by segiddins
Enhancements:
Gem::Specification.reseton benigncases. Pull request
#8309 by
deivid-rodriguez
gem install <name>suggest<name>-rubyandruby-<name>whenproviding "did you mean" suggestions. Pull request
#8197 by duckinator
#8233 by
github-actions[bot]
--target-rbconfigoption togem installandgem updatecommands. Pull request
#7628 by kateinoigakukun
#7129 by nobu
Gem.configuration.install_extension_in_lib. Pull request#6463 by hsbt
Bug fixes:
gem execto fix name in CLI output. Pullrequest #8267 by adam12
request #8202 by
deivid-rodriguez
Documentation:
#8303 by nobu
gem installdemo in README to use a gem that just works onWindows. Pull request
#8262 by soda92
#8159 by hsbt
v2.5.23Compare Source
Enhancements:
gemCLI arguments. Pull request#6471 by
deivid-rodriguez
gem update --systemleaving old default bundler executablesaround. Pull request
#8172 by
deivid-rodriguez
Bug fixes:
#8174 by
deivid-rodriguez
--enable-load-relativebinstubs prolog work when Ruby is notinstalled in the same directory as the binstub. Pull request
#7872 by
deivid-rodriguez
Performance:
gem install <nonexistent-gem>by finding alternative namesuggestions faster. Pull request
#8084 by duckinator
Documentation:
#8152 by leoarnold
v2.5.22Compare Source
Enhancements:
._*files in packages generated from macOS. Pull request#8150 by
deivid-rodriguez
gem pristine etcresetting gem twice sometimes. Pull request#8117 by
deivid-rodriguez
gem pristineto reset default gems too. Pull request#8118 by
deivid-rodriguez
uriandnet-http. Pull request#8112 by segiddins
Bug fixes:
gem contentsfor default gems. Pull request#8132 by
deivid-rodriguez
request #8131 by
deivid-rodriguez
gem installon NFS shares. Pull request#8123 by
deivid-rodriguez
gem installcrash during "done installing" hooks. Pull request#8113 by
deivid-rodriguez
#8121 by
deivid-rodriguez
v2.5.21Compare Source
Enhancements:
Gem::MissingSpecVersionError#to_snot showing exception message.Pull request #8074 by
deivid-rodriguez
request #8083 by
duckinator
--user-installmode is only necessary for gemswith executables. Pull request
#8071 by
deivid-rodriguez
Bug fixes:
from all sources. Pull request
#8080 by
deivid-rodriguez
gem cleanupwarning when two versions of psych installed. Pullrequest #8072 by
deivid-rodriguez
v2.5.20Compare Source
Enhancements:
v2.5.19Compare Source
Enhancements:
Gem::Sourceand subclasses. Pullrequest #7994 by
djberube
molinilloto master and vendoredresolvto 0.4.0.Pull request #7521 by
hsbt
Bug fixes:
bundle exec rake installfailing when local gem has extensions.Pull request #7977 by
deivid-rodriguez
gem execuse the standard GEM_HOME. Pull request#7982 by
deivid-rodriguez
gem fetchalways exiting with zero status code. Pull request#8007 by
deivid-rodriguez
.lockfiles unintentionally left around by geminstaller. Pull request
#7939 by nobu
#8001 by hsbt
#7931 by nobu
@licensetypo preventing licenses from being correctlyunmarshalled. Pull request
#7975 by djberube
Performance:
gem install does-not-existbeing super slow. Pull request#8006 by
deivid-rodriguez
v2.5.18Compare Source
Enhancements:
Bug fixes:
gem uninstall <name>:<version>failing on shadowed default gems.Pull request #7949 by
deivid-rodriguez
v2.5.17Compare Source
Enhancements:
Gem::Dependencyto yaml. Pull request#7867 by segiddins
Bug fixes:
gem listregression when a regular gem shadows a default one. Pullrequest #7892 by
deivid-rodriguez
#7879 by
deivid-rodriguez
#7857 by leetking
v2.5.16Compare Source
Enhancements:
Bug fixes:
require_pathsvalidation. Pull request#7866 by
deivid-rodriguez
gemrcconfig keys when specified as symbols.Pull request #7851 by
moofkit
Performance:
caller_locationsinstead of splittingcaller. Pull request#7708 by nobu
v2.5.15Compare Source
Enhancements:
Bug fixes:
armto only match 32-bit arm. Pull request#7830 by ntkme
#7806 by
deivid-rodriguez
Documentation:
add_dependencyis the main way to addnon-development dependencies. Pull request
#7800 by jeromedalbert
v2.5.14Compare Source
Enhancements:
Bug fixes:
#7778 by x-yuri
v2.5.13Compare Source
Enhancements:
Bug fixes:
#7747 by
deivid-rodriguez
v2.5.12Compare Source
Enhancements:
Bug fixes:
gem uninstallunresolved specifications warning. Pull request#7667 by
deivid-rodriguez
gem pristinesometimes failing to pristine user installed gems.Pull request #7664 by
deivid-rodriguez
v2.5.11Compare Source
Enhancements:
#7689 by
github-actions[bot]
#7658 by x-yuri
#7629 by kateinoigakukun
running version. Pull request
#7460 by
deivid-rodriguez
Bug fixes:
--destdirisgiven. Pull request
#7660 by
deivid-rodriguez
gem uninstall --user-installfor symlinked HOME. Pull request#7645 by
deivid-rodriguez
gem uninstall. Pull request#7631 by
deivid-rodriguez
#6456 by voxik
Performance:
#7484 by segiddins
Documentation:
bin/rakeoverrakein contributing docs. Pull request#7648 by
deivid-rodriguez
v2.5.10Compare Source
Security:
package. Pull request
#7568 by segiddins
Enhancements:
rubygemsfromrubygems/packageto prevent somecircular require warnings when using Bundler. Pull request
#7612 by
deivid-rodriguez
Bug fixes:
#7623 by jenshenny
v2.5.9Compare Source
Enhancements:
v2.5.8Compare Source
Security:
#7518 by
deivid-rodriguez
Enhancements:
#7543 by hsbt
#4913 by duckinator
Bug fixes:
files. Pull request
#7539 by jez
Gem::Resolver::Activationobjects. Pull request
#7537 by
deivid-rodriguez
v2.5.7Compare Source
Enhancements:
Pull request #5010 by
simi
attribute. Pull request
#7464 by segiddins
#7468 by
github-actions[bot]
Bug fixes:
it) when it's the only possibility. Pull request
#7428 by kimesf
Documentation:
#7505 by hsbt
#7481 by hsbt
v2.5.6Compare Source
Enhancements:
Gem::SpecificationandGem::Requirement.Pull request #7439 by
flavorjones
Pull request #7422 by
VitaliySerov
#7435 by m-nakamura145
#7342 by williantenfen
#7386 by
deivid-rodriguez
Bug fixes:
#7413 by hsbt
request #7395 by ntkme
v2.5.5Compare Source
Enhancements:
Bug fixes:
requireactivation conflicts when requiring default gems undersome situations. Pull request
#7379 by
deivid-rodriguez
request #7331 by mrkn
Documentation:
Gem::Specification#descriptiondocumentation,so it doesn't add leading whitespace. Pull request
#7373 by bravehager
v2.5.4Compare Source
Enhancements:
#7335 by
deivid-rodriguez
Bug fixes:
gem update --systemrespect ruby version constraints. Pullrequest #7334 by
deivid-rodriguez
v2.5.3Compare Source
Enhancements:
v2.5.2Compare Source
Enhancements:
gemCLI arguments. Pull request#6471 by
deivid-rodriguez
gem update --systemleaving old default bundler executablesaround. Pull request
#8172 by
deivid-rodriguez
Bug fixes:
#8174 by
deivid-rodriguez
--enable-load-relativeConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.