| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
|
|
|
|
|
| |
This resolves this CVE https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
It also backports a few bugfixes from 2.5.0:
https://github.com/ruby/ruby/compare/v2_4_2...v2_4_3
Signed-off-by: Tim Smith <tsmith@chef.io>
|
| |
|
|
|
|
|
|
|
| |
Resolves:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737
Signed-off-by: Tim Smith <tsmith@chef.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
openssl:
CVE-2017-3736 (OpenSSL advisory) [Moderate severity] 2nd November 2017:
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. Reported by Google OSS-Fuzz.
CVE-2017-3735 (OpenSSL advisory) [Low severity] 28th August 2017:
While parsing an IPAdressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. Reported by Google OSS-Fuzz.
rubygems:
Whitelist classes and symbols that are in loaded YAML. See CVE-2017-0903 for full details. Fix by Aaron Patterson.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
| |
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
| |
|
|
| |
Signed-off-by: Kartik Null Cating-Subramanian <ksubramanian@chef.io>
|
| |
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
|
|
|
|
|
|
| |
* Remove call to update_omnibus_overrides
The rake tasks `update_omnibus_overrides` was removed in dafd5139338aed684410e311b9be906b346db678.
* Update acceptance/Gemfile.lock to match Gemfile.lock for mixlib-shellout
This should fix acceptance where we're seeing both mixlib-shellout 2.3.1 and 2.3.2.
|
| |
|
|
| |
Signed-off-by: Jaymala Sinha <jsinha@chef.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since the symlinks created inside /usr/bin conflict between our
"Angry" and mainstream projects on our testers, we are updating IPS
the packaging to override "projectname-symlinks.erb" if it exists.
We are leaving symlinks.erb for backward compatibilty. PRs with resource
filename updates in chef and omnibus-toolchain will follow this PR.
Related omnibus PR: https://github.com/chef/omnibus/pull/793
Signed-off-by: Jaymala Sinha <jsinha@chef.io>
|
| |
|
|
|
|
| |
The actual fix is chef/omnibus-software#864
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
|
|
| |
The cert has been updated as the old one expires on 2017-07-25.
Signed-off-by: Seth Chisamore <schisamo@chef.io>
|
| |
|
|
| |
Signed-off-by: Scott Hain <shain@chef.io>
|
| |
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
|
|
|
|
|
| |
this hand-builds it with the software dep, and its not a direct dep of
chef itself and shouldn't be in the Gemfile.lock anyway, plus we need
to pin via omnibus_overrides.rb and double-pinning in the Gemfile.lock
is just added fussiness
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
|
|
| |
Provided by chef/omnibus-software#836
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
this is also necessary for bundler-1.14.x
i'm still not entirely clear why we ever needed all the fussy software gem
configs or what the build-chef / build-chef-gem infrastructure ever
did for us. it seems to have been mostly micro-optimization around
building the software gems before bundle installing the project in order
to take advantage of git caching. i aggressively don't care about that,
this is quite fast enough. we can install nokogiri and libgecode early
and that should take care of 98% of the build optimization issue.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
|
|
| |
Fixes: #6049
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
|
|
|
|
| |
Picking up chef/omnibus#771 to correct an issue with the BFF
packager, currently causing issues on the chef-test job for AIX
testers. Thanks for nothing, braces-in-filenames!
Signed-off-by: Adam Leff <adam@leff.co>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds InSpec to the Chef Gemfile, making it easier
for our community to use InSpec for testing without requiring
them to `chef_gem` install it prior to use.
This also helps our users who wish to use InSpec but are in an
air-gapped environment. Including our preferred testing library
in our Omnibus builds will make it much easier for those users
to use InSpec.
Signed-off-by: Adam Leff <adam@leff.co>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pulls in chef/omnibus-software#806 and removes iconv from both
nokogiri and ruby.
ruby hasn't needed iconv since 1.9.x and everyone should be using
the Encoding library by now.
nokogiri will lose support for things like Shift-JIS inside of XML
but UTF-8, UTF-16LE/BE, ISO-8851-1(Latin-1), ASCII and "HTML" encoding
are all supported by nokogiri natively. if users need more they need
to be maintaining their own nokogiri installs and accept the
maintenance costs themselves.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
nokogiri does not have a ruby-2.4 release for windows
this is slightly complicated because we still need nokogiri in the
Gemfile.lock for travis.
i'm starting to think we should have a Gemfile.travis and
Gemfile.travis.lock or something and stop using groups for that.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
|
|
| |
unbreaks builds.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
|
|
|
| |
this eliminates all the "run gem pristine" warning spam
and i believe uses "bundle lock" correctly.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
|
|
| |
This reverts commit 6628f708acdefe2fc6bff85a1edade89f0b4d8ee.
oops.
|
| |
|
|
|
|
|
| |
this eliminates all the "run gem pristine" warning spam
and i believe uses "bundle lock" correctly.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
| |
|
|
|
|
|
| |
This updates the branch pinnings to use the omnibus-toolchain enabled
version of omnibus and omnibus-software.
Signed-off-by: Ryan Hass <rhass@users.noreply.github.com>
|
| |
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
|
|
| |
now the build should be fixed.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the `github:` argument gets translated to git:// urls, which are
insecure and i have a .gitconfig which translates those to
https:// urls, and the effect of that is that when _I_ bump the
Gemfile.lock the urls don't match and `bundle install` with
the `--deployment` flag gets all pissy and I break the build, and
since i don't habitually `bundle install --deployment` locally I
never see the failures.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This requires pulling in master of several gems, bumps all
the other gems, plus pulls in new kitchen-appbundle-updater
which supports pulling master of ohai.
Note that kitchen-windows is disabled because it turns out
it was broken and red on 12.19 all along.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
|
|
| |
This reverts commit bd45e8360cf233cbadba17c4ee9870d450a610f8.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
|
|
| |
department of redundancy department
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
| |
|
|
| |
Signed-off-by: Tom Duffield <tom@chef.io>
|
| |
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
| |
|
|
| |
Signed-off-by: Tom Duffield <tom@chef.io>
|
| |
|
|
| |
Signed-off-by: Tom Duffield <tom@chef.io>
|
