[security] fix for CVE-2018-3741

2025-01-18 07:52:23 +01:00 · 2018-04-30 07:57:21 +02:00 · 2018-04-30 07:57:21 +02:00 · 3e4e5e3e9b
commit 3e4e5e3e9b
parent 108d13936c
2 changed files with 4 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,7 @@
 - Updated OmniAuth to fix Hashie warnings [omniauth#872](https://github.com/omniauth/omniauth/issues/872)
 - Fix a security issue: dependency loofah has a vulnerability as described in [CVE-2018-8048](https://github.com/flavorjones/loofah/issues/144)
 - Ensure elasticSearch indices are started with green status on new installations
+- Fix a security issue: rails-html-sanitizer < 1.0.3 has a security vulnerability described in [CVE-2018-3741](https://nvd.nist.gov/vuln/detail/CVE-2018-3741)

 ## v2.6.4 2018 March 15

--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -136,7 +136,7 @@ GEM
      tins (>= 1.6.0, < 2)
    crack (0.4.3)
      safe_yaml (~> 1.0.0)
-    crass (1.0.3)
+    crass (1.0.4)
    daemons (1.2.4)
    database_cleaner (1.4.1)
    debug_inspector (0.0.3)
@ -337,8 +337,8 @@ GEM
      activesupport (>= 4.2.0.beta, < 5.0)
      nokogiri (~> 1.6)
      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
    rails-observers (0.1.2)
      activemodel (~> 4.0)
    rails_12factor (0.0.3)