| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Jared Quick <jquick@chef.io>
|
|
|
|
| |
Signed-off-by: Bryan McLellan <btm@loftninjas.org>
|
|\
| |
| | |
Windows MSI: files are now re-unzipped during repair mode
|
| |
| |
| |
| | |
Signed-off-by: Stuart Preston <stuart@chef.io>
|
| |
| |
| |
| |
| |
| | |
tested this in CI builds and it was working.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|/
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This addresses https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|\
| |
| | |
Ship InSpec 2
|
| |
| |
| |
| | |
Signed-off-by: Thom May <thom@chef.io>
|
|/
|
|
|
|
| |
We missed 2 changelog updates due to this so I'm manually adding them
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This gets us bz2 support in libarchive
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Stuart Preston <stuart@chef.io>
|
|
|
|
| |
Signed-off-by: Stuart Preston <stuart@chef.io>
|
|
|
|
| |
Signed-off-by: Stuart Preston <stuart@chef.io>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
|
|
| |
crept in from local gem sets on workstations
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Tom Duffield <tom@chef.io>
|
|
|
|
|
|
| |
Debian 7 goes EOL 31st May 2018
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Stuart Preston <stuart@chef.io>
|
|
|
|
| |
Signed-off-by: Stuart Preston <stuart@chef.io>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
|
|
|
|
|
| |
This resolves this CVE https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
It also backports a few bugfixes from 2.5.0:
https://github.com/ruby/ruby/compare/v2_4_2...v2_4_3
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
openssl:
CVE-2017-3736 (OpenSSL advisory) [Moderate severity] 2nd November 2017:
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. Reported by Google OSS-Fuzz.
CVE-2017-3735 (OpenSSL advisory) [Low severity] 28th August 2017:
While parsing an IPAdressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. Reported by Google OSS-Fuzz.
rubygems:
Whitelist classes and symbols that are in loaded YAML. See CVE-2017-0903 for full details. Fix by Aaron Patterson.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Kartik Null Cating-Subramanian <ksubramanian@chef.io>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
|
|
|
|
|
|
| |
* Remove call to update_omnibus_overrides
The rake tasks `update_omnibus_overrides` was removed in dafd5139338aed684410e311b9be906b346db678.
* Update acceptance/Gemfile.lock to match Gemfile.lock for mixlib-shellout
This should fix acceptance where we're seeing both mixlib-shellout 2.3.1 and 2.3.2.
|
|
|
|
| |
Signed-off-by: Jaymala Sinha <jsinha@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the symlinks created inside /usr/bin conflict between our
"Angry" and mainstream projects on our testers, we are updating IPS
the packaging to override "projectname-symlinks.erb" if it exists.
We are leaving symlinks.erb for backward compatibilty. PRs with resource
filename updates in chef and omnibus-toolchain will follow this PR.
Related omnibus PR: https://github.com/chef/omnibus/pull/793
Signed-off-by: Jaymala Sinha <jsinha@chef.io>
|
|
|
|
|
|
| |
The actual fix is chef/omnibus-software#864
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
|
|
| |
The cert has been updated as the old one expires on 2017-07-25.
Signed-off-by: Seth Chisamore <schisamo@chef.io>
|
|
|
|
| |
Signed-off-by: Scott Hain <shain@chef.io>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
|
|
|
|
|
| |
this hand-builds it with the software dep, and its not a direct dep of
chef itself and shouldn't be in the Gemfile.lock anyway, plus we need
to pin via omnibus_overrides.rb and double-pinning in the Gemfile.lock
is just added fussiness
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
|
|
| |
Provided by chef/omnibus-software#836
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this is also necessary for bundler-1.14.x
i'm still not entirely clear why we ever needed all the fussy software gem
configs or what the build-chef / build-chef-gem infrastructure ever
did for us. it seems to have been mostly micro-optimization around
building the software gems before bundle installing the project in order
to take advantage of git caching. i aggressively don't care about that,
this is quite fast enough. we can install nokogiri and libgecode early
and that should take care of 98% of the build optimization issue.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
|
|
| |
Fixes: #6049
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|