Update rails to version 7.0.8.6
What does this MR do and why?
Update rails to version 7.0.8.6
It fixes several CVEs related to regular expression denial of service vulnerabilities. We were not affected by them thanks to the mitigations in Ruby 3.2 but this upgrade will prevent the CVEs from showing up in vulnerability scanning results.
References
Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
Vulnerabilities
- https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/141601125
- https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/141601124
- https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/141601122
- https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/141601117
Changelogs
- 7.0.8.5 Addresses the CVEs
-
7.0.8.6 "These address a single bug in last week’s security releases in the
block_formathelper."
I followed the upgrade process https://docs.gitlab.com/ee/development/rails_update.html. There are no new @rails/ujs and @rails/actioncable version for this update. Gemfile.next was already at a version where those CVEs are patched.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
N/A
How to set up and validate locally
N/A