diff options
author | Robert Speicher <robert@gitlab.com> | 2017-09-06 16:20:20 +0000 |
---|---|---|
committer | Robert Speicher <robert@gitlab.com> | 2017-09-06 16:20:20 +0000 |
commit | f92172131644ab5041933436db35640bb472c2ea (patch) | |
tree | 214fb1a9d00f1c3197d9389690729d98cad388ee | |
parent | 1140a3ed0ac76cec205bd87e43e1bff8cd683a17 (diff) | |
parent | 529dfc7bd605c3fc90e46c3a79823661e74caccb (diff) | |
download | gitlab-ce-f92172131644ab5041933436db35640bb472c2ea.tar.gz |
Merge branch 'rs-issue-29992-9-4' into 'security-9-4'
[9.4] Merge branch 'fix/gem-security-updates' into 'master'
See merge request gitlab/gitlabhq!2182
-rw-r--r-- | Gemfile | 11 | ||||
-rw-r--r-- | Gemfile.lock | 41 | ||||
-rw-r--r-- | changelogs/unreleased/fix-gem-security-updates.yml | 5 | ||||
-rwxr-xr-x | scripts/static-analysis | 2 |
4 files changed, 31 insertions, 28 deletions
@@ -26,7 +26,7 @@ gem 'doorkeeper-openid_connect', '~> 1.1.0' gem 'omniauth', '~> 1.4.2' gem 'omniauth-auth0', '~> 1.4.1' gem 'omniauth-azure-oauth2', '~> 0.0.6' -gem 'omniauth-cas3', '~> 1.1.2' +gem 'omniauth-cas3', '~> 1.1.4' gem 'omniauth-facebook', '~> 4.0.0' gem 'omniauth-github', '~> 1.1.1' gem 'omniauth-gitlab', '~> 1.0.2' @@ -122,12 +122,9 @@ gem 'wikicloth', '0.8.1' gem 'asciidoctor', '~> 1.5.2' gem 'asciidoctor-plantuml', '0.0.7' gem 'rouge', '~> 2.0' -gem 'truncato', '~> 0.7.8' +gem 'truncato', '~> 0.7.9' gem 'bootstrap_form', '~> 2.7.0' - -# See https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s -# and https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM -gem 'nokogiri', '~> 1.6.7', '>= 1.6.7.2' +gem 'nokogiri', '~> 1.8.0' # Diffs gem 'diffy', '~> 3.1.0' @@ -247,7 +244,7 @@ gem 'uglifier', '~> 2.7.2' gem 'addressable', '~> 2.3.8' gem 'bootstrap-sass', '~> 3.3.0' gem 'font-awesome-rails', '~> 4.7' -gem 'gemojione', '~> 3.0' +gem 'gemojione', '~> 3.3' gem 'gon', '~> 6.1.0' gem 'jquery-atwho-rails', '~> 1.3.2' gem 'jquery-rails', '~> 4.1.0' diff --git a/Gemfile.lock b/Gemfile.lock index c607c7eb3dc..0132ee36c34 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -262,7 +262,7 @@ GEM ruby-progressbar (~> 1.4) gemnasium-gitlab-service (0.2.6) rugged (~> 0.21) - gemojione (3.0.1) + gemojione (3.3.0) json get_process_mem (0.2.0) gettext (3.2.2) @@ -304,13 +304,14 @@ GEM activesupport (>= 4.1.0) gollum-grit_adapter (1.0.1) gitlab-grit (~> 2.7, >= 2.7.1) - gollum-lib (4.2.1) - github-markup (~> 1.4.0) + gollum-lib (4.2.7) + gemojione (~> 3.2) + github-markup (~> 1.6) gollum-grit_adapter (~> 1.0) - nokogiri (~> 1.6.4) - rouge (~> 2.0) - sanitize (~> 2.1.0) - stringex (~> 2.5.1) + nokogiri (>= 1.6.1, < 2.0) + rouge (~> 2.1) + sanitize (~> 2.1) + stringex (~> 2.6) gollum-rugged_adapter (0.4.4) mime-types (>= 1.15) rugged (~> 0.25) @@ -459,7 +460,7 @@ GEM method_source (0.8.2) mime-types (2.99.3) mimemagic (0.3.0) - mini_portile2 (2.1.0) + mini_portile2 (2.2.0) minitest (5.7.0) mmap2 (2.2.7) mousetrap-rails (1.4.6) @@ -474,8 +475,8 @@ GEM net-ldap (0.16.0) net-ssh (3.0.1) netrc (0.11.0) - nokogiri (1.6.8.1) - mini_portile2 (~> 2.1.0) + nokogiri (1.8.0) + mini_portile2 (~> 2.2.0) numerizer (0.1.1) oauth (0.5.1) oauth2 (1.4.0) @@ -498,9 +499,9 @@ GEM jwt (~> 1.0) omniauth (~> 1.0) omniauth-oauth2 (~> 1.1) - omniauth-cas3 (1.1.3) + omniauth-cas3 (1.1.4) addressable (~> 2.3) - nokogiri (~> 1.6.6) + nokogiri (~> 1.7, >= 1.7.1) omniauth (~> 1.2) omniauth-facebook (4.0.0) omniauth-oauth2 (~> 1.2) @@ -587,7 +588,7 @@ GEM cliver (~> 0.3.1) multi_json (~> 1.0) websocket-driver (>= 0.2.0) - posix-spawn (0.3.11) + posix-spawn (0.3.13) powerpack (0.1.1) premailer (1.10.4) addressable @@ -835,7 +836,7 @@ GEM state_machines-activerecord (0.4.0) activerecord (>= 4.1, < 5.1) state_machines-activemodel (>= 0.3.0) - stringex (2.5.2) + stringex (2.7.1) sys-filesystem (1.1.6) ffi sysexits (1.2.0) @@ -855,9 +856,9 @@ GEM toml-rb (0.3.15) citrus (~> 3.0, > 3.0) tool (0.2.3) - truncato (0.7.8) + truncato (0.7.10) htmlentities (~> 4.3.1) - nokogiri (~> 1.6.1) + nokogiri (~> 1.8.0, >= 1.7.0) tzinfo (1.2.2) thread_safe (~> 0.1) u2f (0.2.1) @@ -973,7 +974,7 @@ DEPENDENCIES foreman (~> 0.78.0) fuubar (~> 2.0.0) gemnasium-gitlab-service (~> 0.2) - gemojione (~> 3.0) + gemojione (~> 3.3) gettext (~> 3.2.2) gettext_i18n_rails (~> 1.8.0) gettext_i18n_rails_js (~> 1.2.0) @@ -1016,7 +1017,7 @@ DEPENDENCIES mysql2 (~> 0.3.16) net-ldap net-ssh (~> 3.0.1) - nokogiri (~> 1.6.7, >= 1.6.7.2) + nokogiri (~> 1.8.0) oauth2 (~> 1.4) octokit (~> 4.6.2) oj (~> 2.17.4) @@ -1024,7 +1025,7 @@ DEPENDENCIES omniauth-auth0 (~> 1.4.1) omniauth-authentiq (~> 0.3.0) omniauth-azure-oauth2 (~> 0.0.6) - omniauth-cas3 (~> 1.1.2) + omniauth-cas3 (~> 1.1.4) omniauth-facebook (~> 4.0.0) omniauth-github (~> 1.1.1) omniauth-gitlab (~> 1.0.2) @@ -1111,7 +1112,7 @@ DEPENDENCIES thin (~> 1.7.0) timecop (~> 0.8.0) toml-rb (~> 0.3.15) - truncato (~> 0.7.8) + truncato (~> 0.7.9) u2f (~> 0.2.1) uglifier (~> 2.7.2) underscore-rails (~> 1.8.0) diff --git a/changelogs/unreleased/fix-gem-security-updates.yml b/changelogs/unreleased/fix-gem-security-updates.yml new file mode 100644 index 00000000000..dce11d08402 --- /dev/null +++ b/changelogs/unreleased/fix-gem-security-updates.yml @@ -0,0 +1,5 @@ +--- +title: Upgrade mail and nokogiri gems due to security issues +merge_request: 13662 +author: Markus Koller +type: security diff --git a/scripts/static-analysis b/scripts/static-analysis index 6d35684b97f..5b90c2af1dc 100755 --- a/scripts/static-analysis +++ b/scripts/static-analysis @@ -3,7 +3,7 @@ require ::File.expand_path('../lib/gitlab/popen', __dir__) tasks = [ - %w[bundle exec bundle-audit check --update --ignore CVE-2016-4658 CVE-2017-5029], + %w[bundle exec bundle-audit check --update], %w[bundle exec rake config_lint], %w[bundle exec rake flay], %w[bundle exec rake haml_lint], |