From 80d3b43daf4119277d7629fdd04dcab04096c75e Mon Sep 17 00:00:00 2001 From: Andrew White Date: Wed, 29 Oct 2025 13:28:21 +0000 Subject: [PATCH 1/3] Relax version constraints to allow Rails 7.2.3 update The ~> operator on the revision triggers a false positive on the latest patch update in the Rails 7.2.x release series. --- gems/actionpack/CVE-2024-54133.yml | 2 +- gems/activerecord/CVE-2025-55193.yml | 2 +- gems/activestorage/CVE-2025-24293.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/gems/actionpack/CVE-2024-54133.yml b/gems/actionpack/CVE-2024-54133.yml index 86e6c22eac..71f5497cde 100644 --- a/gems/actionpack/CVE-2024-54133.yml +++ b/gems/actionpack/CVE-2024-54133.yml @@ -36,7 +36,7 @@ unaffected_versions: patched_versions: - "~> 7.0.8.7" - "~> 7.1.5.1" - - "~> 7.2.2.1" + - "~> 7.2.2, >= 7.2.2.1" - ">= 8.0.0.1" related: url: diff --git a/gems/activerecord/CVE-2025-55193.yml b/gems/activerecord/CVE-2025-55193.yml index d4af66bec2..82d64d8cf9 100644 --- a/gems/activerecord/CVE-2025-55193.yml +++ b/gems/activerecord/CVE-2025-55193.yml @@ -25,7 +25,7 @@ description: | this vulnerability. patched_versions: - "~> 7.1.5.2" - - "~> 7.2.2.2" + - "~> 7.2.2, >= 7.2.2.2" - ">= 8.0.2.1" related: url: diff --git a/gems/activestorage/CVE-2025-24293.yml b/gems/activestorage/CVE-2025-24293.yml index 74825197ce..3c5bc4827d 100644 --- a/gems/activestorage/CVE-2025-24293.yml +++ b/gems/activestorage/CVE-2025-24293.yml @@ -59,7 +59,7 @@ unaffected_versions: - "< 5.20" patched_versions: - "~> 7.1.5.2" - - "~> 7.2.2.2" + - "~> 7.2.2, >= 7.2.2.2" - ">= 8.0.2.1" related: url: From 8dc3ade1ec3c9d7c7bb05aa852aeb140959e2131 Mon Sep 17 00:00:00 2001 From: Andrew White Date: Wed, 29 Oct 2025 14:29:53 +0000 Subject: [PATCH 2/3] Relax version constraints to allow Rails 7.1.6 update The ~> operator on the revision triggers a false positive on the latest patch update in the Rails 7.1.x release series. --- gems/actionpack/CVE-2024-54133.yml | 2 +- gems/activerecord/CVE-2025-55193.yml | 2 +- gems/activestorage/CVE-2025-24293.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/gems/actionpack/CVE-2024-54133.yml b/gems/actionpack/CVE-2024-54133.yml index 71f5497cde..b421a41c08 100644 --- a/gems/actionpack/CVE-2024-54133.yml +++ b/gems/actionpack/CVE-2024-54133.yml @@ -35,7 +35,7 @@ unaffected_versions: - "< 5.2.0" patched_versions: - "~> 7.0.8.7" - - "~> 7.1.5.1" + - "~> 7.1.5, >= 7.1.5.1" - "~> 7.2.2, >= 7.2.2.1" - ">= 8.0.0.1" related: diff --git a/gems/activerecord/CVE-2025-55193.yml b/gems/activerecord/CVE-2025-55193.yml index 82d64d8cf9..5f6de5c5b8 100644 --- a/gems/activerecord/CVE-2025-55193.yml +++ b/gems/activerecord/CVE-2025-55193.yml @@ -24,7 +24,7 @@ description: | Thanks to [lio346](https://hackerone.com/lio346) for reporting this vulnerability. patched_versions: - - "~> 7.1.5.2" + - "~> 7.1.5, >= 7.1.5.2" - "~> 7.2.2, >= 7.2.2.2" - ">= 8.0.2.1" related: diff --git a/gems/activestorage/CVE-2025-24293.yml b/gems/activestorage/CVE-2025-24293.yml index 3c5bc4827d..314922f328 100644 --- a/gems/activestorage/CVE-2025-24293.yml +++ b/gems/activestorage/CVE-2025-24293.yml @@ -58,7 +58,7 @@ description: | unaffected_versions: - "< 5.20" patched_versions: - - "~> 7.1.5.2" + - "~> 7.1.5, >= 7.1.5.2" - "~> 7.2.2, >= 7.2.2.2" - ">= 8.0.2.1" related: From 82127e56143253ac1ab877b83a583350c24c0f41 Mon Sep 17 00:00:00 2001 From: Andrew White Date: Wed, 29 Oct 2025 14:38:29 +0000 Subject: [PATCH 3/3] Relax version constraints to allow Rails 7.0.10 update The ~> operator on the revision triggers a false positive on the latest patch update in the Rails 7.0.x release series. --- gems/actionmailer/CVE-2024-47889.yml | 2 +- gems/actionpack/CVE-2024-41128.yml | 2 +- gems/actionpack/CVE-2024-47887.yml | 2 +- gems/actionpack/CVE-2024-54133.yml | 2 +- gems/actiontext/CVE-2024-34341.yml | 2 +- gems/actiontext/CVE-2024-47888.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/gems/actionmailer/CVE-2024-47889.yml b/gems/actionmailer/CVE-2024-47889.yml index cd28467784..d94dd725f8 100644 --- a/gems/actionmailer/CVE-2024-47889.yml +++ b/gems/actionmailer/CVE-2024-47889.yml @@ -38,7 +38,7 @@ unaffected_versions: - "< 3.0.0" patched_versions: - "~> 6.1.7.9" - - "~> 7.0.8.5" + - "~> 7.0.8, >= 7.0.8.5" - "~> 7.1.4, >= 7.1.4.1" - ">= 7.2.1.1" related: diff --git a/gems/actionpack/CVE-2024-41128.yml b/gems/actionpack/CVE-2024-41128.yml index d762438264..4317c1f45a 100644 --- a/gems/actionpack/CVE-2024-41128.yml +++ b/gems/actionpack/CVE-2024-41128.yml @@ -38,7 +38,7 @@ unaffected_versions: - "< 3.1.0" patched_versions: - "~> 6.1.7.9" - - "~> 7.0.8.5" + - "~> 7.0.8, >= 7.0.8.5" - "~> 7.1.4, >= 7.1.4.1" - ">= 7.2.1.1" related: diff --git a/gems/actionpack/CVE-2024-47887.yml b/gems/actionpack/CVE-2024-47887.yml index 8a9163b721..99196b2287 100644 --- a/gems/actionpack/CVE-2024-47887.yml +++ b/gems/actionpack/CVE-2024-47887.yml @@ -40,7 +40,7 @@ unaffected_versions: - "< 4.0.0" patched_versions: - "~> 6.1.7.9" - - "~> 7.0.8.5" + - "~> 7.0.8, >= 7.0.8.5" - "~> 7.1.4, >= 7.1.4.1" - ">= 7.2.1.1" related: diff --git a/gems/actionpack/CVE-2024-54133.yml b/gems/actionpack/CVE-2024-54133.yml index b421a41c08..1ae3f0ca12 100644 --- a/gems/actionpack/CVE-2024-54133.yml +++ b/gems/actionpack/CVE-2024-54133.yml @@ -34,7 +34,7 @@ cvss_v4: 2.3 unaffected_versions: - "< 5.2.0" patched_versions: - - "~> 7.0.8.7" + - "~> 7.0.8, >= 7.0.8.7" - "~> 7.1.5, >= 7.1.5.1" - "~> 7.2.2, >= 7.2.2.1" - ">= 8.0.0.1" diff --git a/gems/actiontext/CVE-2024-34341.yml b/gems/actiontext/CVE-2024-34341.yml index f041c89f5a..ad6ae53779 100644 --- a/gems/actiontext/CVE-2024-34341.yml +++ b/gems/actiontext/CVE-2024-34341.yml @@ -57,7 +57,7 @@ description: | unaffected_versions: - "< 7.0.0" patched_versions: - - "~> 7.0.8.3" + - "~> 7.0.8, >= 7.0.8.3" - ">= 7.1.3.3" cvss_v3: 5.4 related: diff --git a/gems/actiontext/CVE-2024-47888.yml b/gems/actiontext/CVE-2024-47888.yml index 6cf0d3e39d..68d6a2ea18 100644 --- a/gems/actiontext/CVE-2024-47888.yml +++ b/gems/actiontext/CVE-2024-47888.yml @@ -39,7 +39,7 @@ unaffected_versions: - "< 6.0.0" patched_versions: - "~> 6.1.7.9" - - "~> 7.0.8.5" + - "~> 7.0.8, >= 7.0.8.5" - "~> 7.1.4, >= 7.1.4.1" - ">= 7.2.1.1" related: