diff options
| author | Stan Hu <stanhu@gmail.com> | 2016-07-03 09:31:31 +0000 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2016-07-03 09:31:31 +0000 |
| commit | 95336861e97eb72fba8c3034deb2b9b61c9ec961 (patch) | |
| tree | cf564f8a637c7e0bd7e81c50a17b01aa783de7f1 | |
| parent | 328fbd82a36e8c1397e383981ca8ecb789355866 (diff) | |
| parent | a034374f004ab2a9e96619438962201b4a6ab222 (diff) | |
| download | gitlab-ce-95336861e97eb72fba8c3034deb2b9b61c9ec961.tar.gz | |
Merge branch 'redcloth-4-3-2-cve-2012-6684' into 'master'
Update RedCloth to 4.3.2 for CVE-2012-6684
## What does this MR do?
To fix XSS (CVE-2012-6684), upgrade RedCloth to 4.3.2.
## Are there points in the code the reviewer needs to double check?
No.
## Why was this MR needed?
Security vulnerability in RedCloth (CVE-2012-6684) should be fixed to provide GitLab as a secure software.
## What are the relevant issue numbers?
Closes #19169
cf. !2037, !2071
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [n/a] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [n/a] API support added
- Tests
- [n/a] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4929
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | Gemfile | 2 | ||||
| -rw-r--r-- | Gemfile.lock | 4 |
3 files changed, 4 insertions, 3 deletions
diff --git a/CHANGELOG b/CHANGELOG index 2f93fcdbaa0..2f29a64df1b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -38,6 +38,7 @@ v 8.9.5 (unreleased) - Show "locked" label for locked runners on runners admin. !4961 - Fixes issues importing events in Import/Export. Import/Export version bumped to 0.1.1 - Fix import button disabled when import process fail due to the namespace already been taken. + - Security: Update RedCloth to 4.3.2 (Takuya Noguchi) v 8.9.4 - Fix privilege escalation issue with OAuth external users. @@ -107,7 +107,7 @@ gem 'html-pipeline', '~> 1.11.0' gem 'task_list', '~> 1.0.2', require: 'task_list/railtie' gem 'github-markup', '~> 1.3.1' gem 'redcarpet', '~> 3.3.3' -gem 'RedCloth', '~> 4.2.9' +gem 'RedCloth', '~> 4.3.2' gem 'rdoc', '~>3.6' gem 'org-ruby', '~> 0.9.12' gem 'creole', '~> 0.5.0' diff --git a/Gemfile.lock b/Gemfile.lock index 45cb327168c..34138decc13 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ GEM remote: https://rubygems.org/ specs: - RedCloth (4.2.9) + RedCloth (4.3.2) ace-rails-ap (4.0.2) actionmailer (4.2.6) actionpack (= 4.2.6) @@ -803,7 +803,7 @@ PLATFORMS ruby DEPENDENCIES - RedCloth (~> 4.2.9) + RedCloth (~> 4.3.2) ace-rails-ap (~> 4.0.2) activerecord-session_store (~> 1.0.0) acts-as-taggable-on (~> 3.4) |