summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Smith <tsmith84@gmail.com>2019-10-02 16:40:52 -0700
committerTim Smith <tsmith84@gmail.com>2019-10-02 16:40:52 -0700
commite41b0686265c9e107543103bec7362fc52db91f1 (patch)
tree695494c45e3fc26a3910e5d0901aa945f571177f
parent5d3bdf9ea210964bf628d96e94d3d3cf3b770255 (diff)
downloadchef-e41b0686265c9e107543103bec7362fc52db91f1.tar.gz
Update Ruby to 2.5.7 to address CVEs
Ruby 2.5.7 is out with fixes for: - [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845). - [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251). - [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254). - [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255). Signed-off-by: Tim Smith <tsmith@chef.io>
-rw-r--r--RELEASE_NOTES.md10
-rw-r--r--omnibus_overrides.rb7
-rwxr-xr-xscripts/bk_tests/bk_linux_exec.sh8
3 files changed, 15 insertions, 10 deletions
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index cc256848f1..282b2bd4f4 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -43,7 +43,7 @@ The `remote_file` resource now properly shows download progress when the `show_p
## Custom Resource Unified Mode
-Chef Infra Client 15.3 introduces an exciting new way to easily write custom resources that mix built-in Chef Infra resources with Ruby code. Previously, custom resources would use Chef Infra's standard compile and converge phases, which meant that Ruby would be evaluated first and then the resources would be converged. This often results in confusing and undesirable behavior when you are trying to mix resources with Ruby logic. Many custom resource authors would attempt to get around this by forcing resources to run at compile time so that all the code in their resource would execute during the compile phase.
+Chef Infra Client 14.14 introduces an exciting new way to easily write custom resources that mix built-in Chef Infra resources with Ruby code. Previously, custom resources would use Chef Infra's standard compile and converge phases, which meant that Ruby would be evaluated first and then the resources would be converged. This often results in confusing and undesirable behavior when you are trying to mix resources with Ruby logic. Many custom resource authors would attempt to get around this by forcing resources to run at compile time so that all the code in their resource would execute during the compile phase.
An example of forcing a resource to run at compile time:
@@ -87,7 +87,13 @@ Knife now fails with a descriptive error message when attempting to bootstrap no
### Ruby
-Ruby has been updated from 2.6.3 to 2.6.4 in order to resolve [CVE-2012-6708](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708) and [CVE-2015-9251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251).
+Ruby has been updated from 2.5.5 to 2.5.7 in order to resolve the following CVEs:
+ - [CVE-2012-6708](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708)
+ - [CVE-2015-9251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251).
+ - [CVE-2019-16201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845).
+ - [CVE-2019-15845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251).
+ - [CVE-2019-16254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254).
+ - [CVE-2019-16255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255).
### openssl
diff --git a/omnibus_overrides.rb b/omnibus_overrides.rb
index c307f049c8..87d1257aff 100644
--- a/omnibus_overrides.rb
+++ b/omnibus_overrides.rb
@@ -1,6 +1,5 @@
# THIS IS NOW HAND MANAGED, JUST EDIT THE THING
-# .travis.yml and appveyor.yml consume this,
-# try to keep it machine-parsable.
+# keep it machine-parsable since CI uses it
#
# NOTE: You MUST update omnibus-software when adding new versions of
# software here: bundle exec rake dependencies:update_omnibus_gemfile_lock
@@ -17,7 +16,7 @@ override "libyaml", version: "0.1.7"
override "makedepend", version: "1.0.5"
override "ncurses", version: "5.9"
override "pkg-config-lite", version: "0.28-1"
-override "ruby", version: "2.5.6"
+override "ruby", version: "2.5.7"
override "ruby-windows-devkit-bash", version: "3.1.23-4-msys-1.0.18"
override "util-macros", version: "1.19.0"
override "xproto", version: "7.0.28"
@@ -30,4 +29,4 @@ override "openssl", version: "1.0.2t"
# definition. This pin will ensure that ohai and chef-client commands use the
# same (released) version of ohai.
gemfile_lock = File.join(File.expand_path(File.dirname(__FILE__)), "Gemfile.lock")
-override "ohai", version: "#{::File.readlines(gemfile_lock).find { |l| l =~ /^\s+ohai \((\d+\.\d+\.\d+)\)/ }; 'v' + $1}" # rubocop: disable Layout/SpaceInsideStringInterpolation
+override "ohai", version: "#{::File.readlines(gemfile_lock).find { |l| l =~ /^\s+ohai \((\d+\.\d+\.\d+)\)/ }; "v" + $1}" # rubocop: disable Layout/SpaceInsideStringInterpolation
diff --git a/scripts/bk_tests/bk_linux_exec.sh b/scripts/bk_tests/bk_linux_exec.sh
index fee73aa6bb..805397a361 100755
--- a/scripts/bk_tests/bk_linux_exec.sh
+++ b/scripts/bk_tests/bk_linux_exec.sh
@@ -30,11 +30,11 @@ sudo git clone https://github.com/asdf-vm/asdf.git /opt/asdf
. /opt/asdf/completions/asdf.bash
echo "--- Installing Ruby ASDF plugin"
-/opt/asdf/bin/asdf plugin-add ruby https://github.com/asdf-vm/asdf-ruby.git
+/opt/asdf/bin/asdf plugin-add ruby https://github.com/asdf-vm/asdf-ruby.git
-echo "--- Installing Ruby 2.5.5"
-/opt/asdf/bin/asdf install ruby 2.5.5
-/opt/asdf/bin/asdf global ruby 2.5.5
+echo "--- Installing Ruby 2.5.6"
+/opt/asdf/bin/asdf install ruby 2.5.6
+/opt/asdf/bin/asdf global ruby 2.5.6
# Update Gems
gem update --system $(grep rubygems omnibus_overrides.rb | cut -d'"' -f2)