Patching vulnerabilities | esbuild, net-imap (#450)

DSACMS · Feb 12, 2025 · 9101ee9 · 9101ee9
1 parent 677a426
commit 9101ee9
Show file tree

Hide file tree

Showing 5 changed files with 125 additions and 161 deletions.
diff --git a/app/Dockerfile b/app/Dockerfile
@@ -120,7 +120,8 @@ RUN apt-get update -qq && \
         postgresql-client=15+248 \
         python-is-python3=3.11.2-1+deb12u1 \
         python3-venv=3.11.2-1+b1 \
-        unzip=6.0-28 && \
+        unzip=6.0-28 \
+        libtasn1-6=4.19.0-2+deb12u1 && \
     rm -rf /var/lib/apt/lists /var/cache/apt/archives && \
     curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" && \
     unzip awscli-bundle.zip && \
@@ -130,7 +131,8 @@ RUN apt-get update -qq && \
 # Remove base rexml for GHSA-4xqq-m2hx-25v8
 RUN gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 debug && \
     gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 rss && \
-    gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 rexml
+    gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 rexml && \
+    gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 net-imap || true
 
 # Install custom db migrate script
 COPY bin/db-migrate /usr/bin/
@@ -139,6 +141,10 @@ COPY bin/db-migrate /usr/bin/
 COPY --from=release-build /usr/local/bundle /usr/local/bundle
 COPY --from=release-build /rails /rails
 
+# Clean up any unused gems and ensure we have the correct versions
+RUN bundle clean --force && \
+    bundle install --no-cache
+
 # Ensure all necessary directories exist
 RUN mkdir -p /rails/tmp/pids /rails/log /rails/db
 

diff --git a/app/Gemfile b/app/Gemfile
@@ -72,6 +72,7 @@ gem "stackprof"
 gem "rexml", "~> 3.3.9"
 gem "gpgme", "~> 2.0", ">= 2.0.12"
 gem "pdf-reader", "~> 2.12.0"
+gem "net-imap", "0.4.19"  # Fixing CVE-2025-25186
 
 gem "maybe_later"
 gem "activeresource"

diff --git a/app/Gemfile.lock b/app/Gemfile.lock
@@ -262,7 +262,7 @@ GEM
     mutex_m (0.3.0)
     net-http (0.4.1)
       uri
-    net-imap (0.4.17)
+    net-imap (0.4.19)
       date
       net-protocol
     net-pop (0.1.2)
@@ -478,7 +478,7 @@ GEM
       unicode-display_width (>= 1.1.1, < 3)
     thor (1.3.2)
     timecop (0.9.10)
-    timeout (0.4.1)
+    timeout (0.4.3)
     ttfunk (1.8.0)
       bigdecimal (~> 3.1)
     turbo-rails (2.0.11)
@@ -551,6 +551,7 @@ DEPENDENCIES
   jsbundling-rails
   maybe_later
   mixpanel-ruby
+  net-imap (= 0.4.19)
   newrelic_rpm
   omniauth-azure-activedirectory-v2
   omniauth-rails_csrf_protection (~> 1.0)