diff options
author | Robert Speicher <robert@gitlab.com> | 2017-09-06 16:20:18 +0000 |
---|---|---|
committer | Robert Speicher <robert@gitlab.com> | 2017-09-06 16:20:18 +0000 |
commit | f3cad287c0a26e64da61fa8c245e234ee0ac9f18 (patch) | |
tree | b6ab3c3b9c038fcdf02f7c78a189c63648f99c31 | |
parent | 821448ecb40986f4c91b504647feb9d3f9303e26 (diff) | |
parent | 3b2289e9ae7cf4eef5c5fec686a6b1d4896a20d3 (diff) | |
download | gitlab-ce-f3cad287c0a26e64da61fa8c245e234ee0ac9f18.tar.gz |
Merge branch 'rs-issue-29992-9-3' into 'security-9-3'
[9.3] Merge branch 'fix/gem-security-updates' into 'master'
See merge request gitlab/gitlabhq!2181
-rw-r--r-- | Gemfile | 11 | ||||
-rw-r--r-- | Gemfile.lock | 41 | ||||
-rw-r--r-- | changelogs/unreleased/fix-gem-security-updates.yml | 5 | ||||
-rwxr-xr-x | scripts/static-analysis | 2 |
4 files changed, 31 insertions, 28 deletions
@@ -26,7 +26,7 @@ gem 'doorkeeper-openid_connect', '~> 1.1.0' gem 'omniauth', '~> 1.4.2' gem 'omniauth-auth0', '~> 1.4.1' gem 'omniauth-azure-oauth2', '~> 0.0.6' -gem 'omniauth-cas3', '~> 1.1.2' +gem 'omniauth-cas3', '~> 1.1.4' gem 'omniauth-facebook', '~> 4.0.0' gem 'omniauth-github', '~> 1.1.1' gem 'omniauth-gitlab', '~> 1.0.2' @@ -121,11 +121,8 @@ gem 'wikicloth', '0.8.1' gem 'asciidoctor', '~> 1.5.2' gem 'asciidoctor-plantuml', '0.0.7' gem 'rouge', '~> 2.0' -gem 'truncato', '~> 0.7.8' - -# See https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s -# and https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM -gem 'nokogiri', '~> 1.6.7', '>= 1.6.7.2' +gem 'truncato', '~> 0.7.9' +gem 'nokogiri', '~> 1.8.0' # Diffs gem 'diffy', '~> 3.1.0' @@ -245,7 +242,7 @@ gem 'uglifier', '~> 2.7.2' gem 'addressable', '~> 2.3.8' gem 'bootstrap-sass', '~> 3.3.0' gem 'font-awesome-rails', '~> 4.7' -gem 'gemojione', '~> 3.0' +gem 'gemojione', '~> 3.3' gem 'gon', '~> 6.1.0' gem 'jquery-atwho-rails', '~> 1.3.2' gem 'jquery-rails', '~> 4.1.0' diff --git a/Gemfile.lock b/Gemfile.lock index aa71ab91c34..24c79847bc8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -261,7 +261,7 @@ GEM ruby-progressbar (~> 1.4) gemnasium-gitlab-service (0.2.6) rugged (~> 0.21) - gemojione (3.0.1) + gemojione (3.3.0) json get_process_mem (0.2.0) gettext (3.2.2) @@ -303,13 +303,14 @@ GEM activesupport (>= 4.1.0) gollum-grit_adapter (1.0.1) gitlab-grit (~> 2.7, >= 2.7.1) - gollum-lib (4.2.1) - github-markup (~> 1.4.0) + gollum-lib (4.2.7) + gemojione (~> 3.2) + github-markup (~> 1.6) gollum-grit_adapter (~> 1.0) - nokogiri (~> 1.6.4) - rouge (~> 2.0) - sanitize (~> 2.1.0) - stringex (~> 2.5.1) + nokogiri (>= 1.6.1, < 2.0) + rouge (~> 2.1) + sanitize (~> 2.1) + stringex (~> 2.6) gollum-rugged_adapter (0.4.4) mime-types (>= 1.15) rugged (~> 0.25) @@ -458,7 +459,7 @@ GEM method_source (0.8.2) mime-types (2.99.3) mimemagic (0.3.0) - mini_portile2 (2.1.0) + mini_portile2 (2.2.0) minitest (5.7.0) mmap2 (2.2.7) mousetrap-rails (1.4.6) @@ -473,8 +474,8 @@ GEM net-ldap (0.12.1) net-ssh (3.0.1) netrc (0.11.0) - nokogiri (1.6.8.1) - mini_portile2 (~> 2.1.0) + nokogiri (1.8.0) + mini_portile2 (~> 2.2.0) numerizer (0.1.1) oauth (0.5.1) oauth2 (1.3.1) @@ -497,9 +498,9 @@ GEM jwt (~> 1.0) omniauth (~> 1.0) omniauth-oauth2 (~> 1.1) - omniauth-cas3 (1.1.3) + omniauth-cas3 (1.1.4) addressable (~> 2.3) - nokogiri (~> 1.6.6) + nokogiri (~> 1.7, >= 1.7.1) omniauth (~> 1.2) omniauth-facebook (4.0.0) omniauth-oauth2 (~> 1.2) @@ -586,7 +587,7 @@ GEM cliver (~> 0.3.1) multi_json (~> 1.0) websocket-driver (>= 0.2.0) - posix-spawn (0.3.11) + posix-spawn (0.3.13) powerpack (0.1.1) premailer (1.10.4) addressable @@ -830,7 +831,7 @@ GEM state_machines-activerecord (0.4.0) activerecord (>= 4.1, < 5.1) state_machines-activemodel (>= 0.3.0) - stringex (2.5.2) + stringex (2.7.1) sys-filesystem (1.1.6) ffi sysexits (1.2.0) @@ -850,9 +851,9 @@ GEM toml-rb (0.3.15) citrus (~> 3.0, > 3.0) tool (0.2.3) - truncato (0.7.8) + truncato (0.7.10) htmlentities (~> 4.3.1) - nokogiri (~> 1.6.1) + nokogiri (~> 1.8.0, >= 1.7.0) tzinfo (1.2.2) thread_safe (~> 0.1) u2f (0.2.1) @@ -967,7 +968,7 @@ DEPENDENCIES foreman (~> 0.78.0) fuubar (~> 2.0.0) gemnasium-gitlab-service (~> 0.2) - gemojione (~> 3.0) + gemojione (~> 3.3) gettext (~> 3.2.2) gettext_i18n_rails (~> 1.8.0) gettext_i18n_rails_js (~> 1.2.0) @@ -1009,7 +1010,7 @@ DEPENDENCIES mousetrap-rails (~> 1.4.6) mysql2 (~> 0.3.16) net-ssh (~> 3.0.1) - nokogiri (~> 1.6.7, >= 1.6.7.2) + nokogiri (~> 1.8.0) oauth2 (~> 1.3.0) octokit (~> 4.6.2) oj (~> 2.17.4) @@ -1017,7 +1018,7 @@ DEPENDENCIES omniauth-auth0 (~> 1.4.1) omniauth-authentiq (~> 0.3.0) omniauth-azure-oauth2 (~> 0.0.6) - omniauth-cas3 (~> 1.1.2) + omniauth-cas3 (~> 1.1.4) omniauth-facebook (~> 4.0.0) omniauth-github (~> 1.1.1) omniauth-gitlab (~> 1.0.2) @@ -1102,7 +1103,7 @@ DEPENDENCIES thin (~> 1.7.0) timecop (~> 0.8.0) toml-rb (~> 0.3.15) - truncato (~> 0.7.8) + truncato (~> 0.7.9) u2f (~> 0.2.1) uglifier (~> 2.7.2) underscore-rails (~> 1.8.0) diff --git a/changelogs/unreleased/fix-gem-security-updates.yml b/changelogs/unreleased/fix-gem-security-updates.yml new file mode 100644 index 00000000000..dce11d08402 --- /dev/null +++ b/changelogs/unreleased/fix-gem-security-updates.yml @@ -0,0 +1,5 @@ +--- +title: Upgrade mail and nokogiri gems due to security issues +merge_request: 13662 +author: Markus Koller +type: security diff --git a/scripts/static-analysis b/scripts/static-analysis index 6d35684b97f..5b90c2af1dc 100755 --- a/scripts/static-analysis +++ b/scripts/static-analysis @@ -3,7 +3,7 @@ require ::File.expand_path('../lib/gitlab/popen', __dir__) tasks = [ - %w[bundle exec bundle-audit check --update --ignore CVE-2016-4658 CVE-2017-5029], + %w[bundle exec bundle-audit check --update], %w[bundle exec rake config_lint], %w[bundle exec rake flay], %w[bundle exec rake haml_lint], |