From 841c52c8c4cc0992d87902d038cf21be2452141c Mon Sep 17 00:00:00 2001 From: Robert Speicher Date: Thu, 31 Aug 2017 00:39:21 +0000 Subject: Merge branch 'fix/gem-security-updates' into 'master' Upgrade mail and nokogiri gems due to security issues See merge request !13662 --- Gemfile | 11 ++---- Gemfile.lock | 45 +++++++++++----------- changelogs/unreleased/fix-gem-security-updates.yml | 5 +++ scripts/static-analysis | 2 +- 4 files changed, 33 insertions(+), 30 deletions(-) create mode 100644 changelogs/unreleased/fix-gem-security-updates.yml diff --git a/Gemfile b/Gemfile index de3531267d3..1610881f74e 100644 --- a/Gemfile +++ b/Gemfile @@ -27,7 +27,7 @@ gem 'doorkeeper-openid_connect', '~> 1.1.0' gem 'omniauth', '~> 1.4.2' gem 'omniauth-auth0', '~> 1.4.1' gem 'omniauth-azure-oauth2', '~> 0.0.6' -gem 'omniauth-cas3', '~> 1.1.2' +gem 'omniauth-cas3', '~> 1.1.4' gem 'omniauth-facebook', '~> 4.0.0' gem 'omniauth-github', '~> 1.1.1' gem 'omniauth-gitlab', '~> 1.0.2' @@ -126,12 +126,9 @@ gem 'wikicloth', '0.8.1' gem 'asciidoctor', '~> 1.5.2' gem 'asciidoctor-plantuml', '0.0.7' gem 'rouge', '~> 2.0' -gem 'truncato', '~> 0.7.8' +gem 'truncato', '~> 0.7.9' gem 'bootstrap_form', '~> 2.7.0' - -# See https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s -# and https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM -gem 'nokogiri', '~> 1.6.7', '>= 1.6.7.2' +gem 'nokogiri', '~> 1.8.0' # Diffs gem 'diffy', '~> 3.1.0' @@ -250,7 +247,7 @@ gem 'uglifier', '~> 2.7.2' gem 'addressable', '~> 2.3.8' gem 'bootstrap-sass', '~> 3.3.0' gem 'font-awesome-rails', '~> 4.7' -gem 'gemojione', '~> 3.0' +gem 'gemojione', '~> 3.3' gem 'gon', '~> 6.1.0' gem 'jquery-atwho-rails', '~> 1.3.2' gem 'jquery-rails', '~> 4.1.0' diff --git a/Gemfile.lock b/Gemfile.lock index 98edefd79fc..9a7cbaf8494 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -256,7 +256,7 @@ GEM ruby-progressbar (~> 1.4) gemnasium-gitlab-service (0.2.6) rugged (~> 0.21) - gemojione (3.0.1) + gemojione (3.3.0) json get_process_mem (0.2.0) gettext (3.2.2) @@ -278,7 +278,7 @@ GEM escape_utils (~> 1.1.0) mime-types (>= 1.19) rugged (>= 0.23.0b) - github-markup (1.4.0) + github-markup (1.6.1) gitlab-flowdock-git-hook (1.0.1) flowdock (~> 0.7) gitlab-grit (>= 2.4.1) @@ -298,13 +298,14 @@ GEM activesupport (>= 4.1.0) gollum-grit_adapter (1.0.1) gitlab-grit (~> 2.7, >= 2.7.1) - gollum-lib (4.2.1) - github-markup (~> 1.4.0) + gollum-lib (4.2.7) + gemojione (~> 3.2) + github-markup (~> 1.6) gollum-grit_adapter (~> 1.0) - nokogiri (~> 1.6.4) - rouge (~> 2.0) - sanitize (~> 2.1.0) - stringex (~> 2.5.1) + nokogiri (>= 1.6.1, < 2.0) + rouge (~> 2.1) + sanitize (~> 2.1) + stringex (~> 2.6) gollum-rugged_adapter (0.4.4) mime-types (>= 1.15) rugged (~> 0.25) @@ -466,14 +467,14 @@ GEM railties (>= 4, < 5.2) loofah (2.0.3) nokogiri (>= 1.5.9) - mail (2.6.5) + mail (2.6.6) mime-types (>= 1.16, < 4) mail_room (0.9.1) memoist (0.15.0) method_source (0.8.2) mime-types (2.99.3) mimemagic (0.3.0) - mini_portile2 (2.1.0) + mini_portile2 (2.2.0) minitest (5.7.0) mmap2 (2.2.7) mousetrap-rails (1.4.6) @@ -487,8 +488,8 @@ GEM net-ldap (0.16.0) net-ssh (4.1.0) netrc (0.11.0) - nokogiri (1.6.8.1) - mini_portile2 (~> 2.1.0) + nokogiri (1.8.0) + mini_portile2 (~> 2.2.0) numerizer (0.1.1) oauth (0.5.1) oauth2 (1.4.0) @@ -511,9 +512,9 @@ GEM jwt (~> 1.0) omniauth (~> 1.0) omniauth-oauth2 (~> 1.1) - omniauth-cas3 (1.1.3) + omniauth-cas3 (1.1.4) addressable (~> 2.3) - nokogiri (~> 1.6.6) + nokogiri (~> 1.7, >= 1.7.1) omniauth (~> 1.2) omniauth-facebook (4.0.0) omniauth-oauth2 (~> 1.2) @@ -601,7 +602,7 @@ GEM cliver (~> 0.3.1) multi_json (~> 1.0) websocket-driver (>= 0.2.0) - posix-spawn (0.3.11) + posix-spawn (0.3.13) powerpack (0.1.1) premailer (1.10.4) addressable @@ -855,7 +856,7 @@ GEM state_machines-activerecord (0.4.0) activerecord (>= 4.1, < 5.1) state_machines-activemodel (>= 0.3.0) - stringex (2.5.2) + stringex (2.7.1) sys-filesystem (1.1.6) ffi sysexits (1.2.0) @@ -874,9 +875,9 @@ GEM timfel-krb5-auth (0.8.3) toml-rb (0.3.15) citrus (~> 3.0, > 3.0) - truncato (0.7.8) + truncato (0.7.10) htmlentities (~> 4.3.1) - nokogiri (~> 1.6.1) + nokogiri (~> 1.8.0, >= 1.7.0) tzinfo (1.2.3) thread_safe (~> 0.1) u2f (0.2.1) @@ -992,7 +993,7 @@ DEPENDENCIES foreman (~> 0.78.0) fuubar (~> 2.2.0) gemnasium-gitlab-service (~> 0.2) - gemojione (~> 3.0) + gemojione (~> 3.3) gettext (~> 3.2.2) gettext_i18n_rails (~> 1.8.0) gettext_i18n_rails_js (~> 1.2.0) @@ -1038,7 +1039,7 @@ DEPENDENCIES mysql2 (~> 0.4.5) net-ldap net-ssh (~> 4.1.0) - nokogiri (~> 1.6.7, >= 1.6.7.2) + nokogiri (~> 1.8.0) oauth2 (~> 1.4) octokit (~> 4.6.2) oj (~> 2.17.4) @@ -1046,7 +1047,7 @@ DEPENDENCIES omniauth-auth0 (~> 1.4.1) omniauth-authentiq (~> 0.3.1) omniauth-azure-oauth2 (~> 0.0.6) - omniauth-cas3 (~> 1.1.2) + omniauth-cas3 (~> 1.1.4) omniauth-facebook (~> 4.0.0) omniauth-github (~> 1.1.1) omniauth-gitlab (~> 1.0.2) @@ -1135,7 +1136,7 @@ DEPENDENCIES thin (~> 1.7.0) timecop (~> 0.8.0) toml-rb (~> 0.3.15) - truncato (~> 0.7.8) + truncato (~> 0.7.9) u2f (~> 0.2.1) uglifier (~> 2.7.2) underscore-rails (~> 1.8.0) diff --git a/changelogs/unreleased/fix-gem-security-updates.yml b/changelogs/unreleased/fix-gem-security-updates.yml new file mode 100644 index 00000000000..dce11d08402 --- /dev/null +++ b/changelogs/unreleased/fix-gem-security-updates.yml @@ -0,0 +1,5 @@ +--- +title: Upgrade mail and nokogiri gems due to security issues +merge_request: 13662 +author: Markus Koller +type: security diff --git a/scripts/static-analysis b/scripts/static-analysis index e4f80e8fc6f..52529e64b30 100755 --- a/scripts/static-analysis +++ b/scripts/static-analysis @@ -3,7 +3,7 @@ require ::File.expand_path('../lib/gitlab/popen', __dir__) tasks = [ - %w[bundle exec bundle-audit check --update --ignore CVE-2016-4658 CVE-2017-5029], + %w[bundle exec bundle-audit check --update], %w[bundle exec rake config_lint], %w[bundle exec rake flay], %w[bundle exec rake haml_lint], -- cgit v1.2.1