Bump nokogiri, loofah, and rack gems for security updatessh-bump-gems-security

loofah: CVE-2018-16468: https://github.com/flavorjones/loofah/issues/154 nokogiri: CVE-2018-14404 and CVE-2018-14567 https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md rack: CVE-2018-16471 https://github.com/rack/rack/commit/e5d58031b766e49687157b45edab1b8457d972bd i18n: https://github.com/svenfuchs/i18n/releases concurrent-ruby: https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md
author: Stan Hu <stanhu@gmail.com> 2018-11-19 12:20:44 -0800
committer: Stan Hu <stanhu@gmail.com> 2018-11-19 12:53:43 -0800
commit: 3af1fbfa842864e10cb840348826dcd22b9da806 (patch)
tree: 3d2c83f7e44d8ffd3ed659de3dd07714f17fda94
parent: e20ceb56dea2b48c3b419d99417be367abe38742 (diff)
download: gitlab-ce-sh-bump-gems-security.tar.gz
4 files changed, 21 insertions, 16 deletions
diff --git a/Gemfile b/Gemfile
index 2a228b326ad..a0971d8f495 100644
--- a/Gemfile
+++ b/Gemfile
@@ -383,7 +383,7 @@ group :test do
   gem 'rails-controller-testing' if rails5? # Rails5 only gem.
   gem 'test_after_commit', '~> 1.1' unless rails5? # Remove this gem when migrated to rails 5.0. It's been integrated to rails 5.0.
   gem 'sham_rack', '~> 1.3.6'
-  gem 'concurrent-ruby', '~> 1.0.5'
+  gem 'concurrent-ruby', '~> 1.1'
   gem 'test-prof', '~> 0.2.5'
   gem 'rspec_junit_formatter'
 end
diff --git a/Gemfile.lock b/Gemfile.lock
index e21a1b85457..f9356ab0c7d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -128,9 +128,9 @@ GEM
     concord (0.1.5)
       adamantium (~> 0.2.0)
       equalizer (~> 0.0.9)
-    concurrent-ruby (1.0.5)
-    concurrent-ruby-ext (1.0.5)
-      concurrent-ruby (= 1.0.5)
+    concurrent-ruby (1.1.3)
+    concurrent-ruby-ext (1.1.3)
+      concurrent-ruby (= 1.1.3)
     connection_pool (2.2.2)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
@@ -379,7 +379,7 @@ GEM
       json (~> 1.8)
       multi_xml (>= 0.5.2)
     httpclient (2.8.3)
-    i18n (1.1.0)
+    i18n (1.1.1)
       concurrent-ruby (~> 1.0)
     icalendar (2.4.1)
     ice_nine (0.11.2)
@@ -444,7 +444,7 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.2.2)
+    loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.0)
@@ -453,7 +453,7 @@ GEM
     memoist (0.16.0)
     memoizable (0.4.2)
       thread_safe (~> 0.3, >= 0.3.1)
-    method_source (0.9.0)
+    method_source (0.9.2)
     mime-types (3.2.2)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2018.0812)
@@ -474,7 +474,7 @@ GEM
     net-ssh (5.0.1)
     netrc (0.11.0)
     nio4r (2.3.1)
-    nokogiri (1.8.4)
+    nokogiri (1.8.5)
       mini_portile2 (~> 2.3.0)
     nokogumbo (1.5.0)
       nokogiri
@@ -602,7 +602,7 @@ GEM
       get_process_mem (~> 0.2)
       puma (>= 2.7, < 4)
     pyu-ruby-sasl (0.0.3.3)
-    rack (2.0.5)
+    rack (2.0.6)
     rack-accept (0.4.5)
       rack (>= 0.4)
     rack-attack (4.4.1)
@@ -966,7 +966,7 @@ DEPENDENCIES
   chronic (~> 0.10.2)
   chronic_duration (~> 0.10.6)
   commonmarker (~> 0.17)
-  concurrent-ruby (~> 1.0.5)
+  concurrent-ruby (~> 1.1)
   connection_pool (~> 2.0)
   creole (~> 0.5.0)
   database_cleaner (~> 1.5.0)
diff --git a/Gemfile.rails4.lock b/Gemfile.rails4.lock
index fea3102b8d6..11553997aac 100644
--- a/Gemfile.rails4.lock
+++ b/Gemfile.rails4.lock
@@ -125,9 +125,9 @@ GEM
     concord (0.1.5)
       adamantium (~> 0.2.0)
       equalizer (~> 0.0.9)
-    concurrent-ruby (1.0.5)
-    concurrent-ruby-ext (1.0.5)
-      concurrent-ruby (= 1.0.5)
+    concurrent-ruby (1.1.3)
+    concurrent-ruby-ext (1.1.3)
+      concurrent-ruby (= 1.1.3)
     connection_pool (2.2.2)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
@@ -441,7 +441,7 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.2.2)
+    loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.0)
@@ -470,7 +470,7 @@ GEM
     net-ldap (0.16.0)
     net-ssh (5.0.1)
     netrc (0.11.0)
-    nokogiri (1.8.4)
+    nokogiri (1.8.5)
       mini_portile2 (~> 2.3.0)
     nokogumbo (1.5.0)
       nokogiri
@@ -957,7 +957,7 @@ DEPENDENCIES
   chronic (~> 0.10.2)
   chronic_duration (~> 0.10.6)
   commonmarker (~> 0.17)
-  concurrent-ruby (~> 1.0.5)
+  concurrent-ruby (~> 1.1)
   connection_pool (~> 2.0)
   creole (~> 0.5.0)
   database_cleaner (~> 1.5.0)
diff --git a/changelogs/unreleased/sh-bump-gems-security.yml b/changelogs/unreleased/sh-bump-gems-security.yml
new file mode 100644
index 00000000000..06489f6f979
--- /dev/null
+++ b/changelogs/unreleased/sh-bump-gems-security.yml
@@ -0,0 +1,5 @@
+---
+title: Bump nokogiri, loofah, and rack gems for security updates
+merge_request: 23204
+author:
+type: security
author	Stan Hu <stanhu@gmail.com>	2018-11-19 12:20:44 -0800
committer	Stan Hu <stanhu@gmail.com>	2018-11-19 12:53:43 -0800
commit	3af1fbfa842864e10cb840348826dcd22b9da806 (patch)
tree	3d2c83f7e44d8ffd3ed659de3dd07714f17fda94
parent	e20ceb56dea2b48c3b419d99417be367abe38742 (diff)
download	gitlab-ce-sh-bump-gems-security.tar.gz