| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md#1104--2019-08-11
https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
May 18, 2019: Fixes for reading Android APK and JAR archives
Apr 16, 2019: Support for non-recursive list and extract
Apr 14, 2019: New tar option: --exclude-vcs
Mar 27, 2019: Support for file and directory symlinks on Windows
Mar 12, 2019: Important fixes for storing file attributes and flags
Jan 20, 2019: Support for xz, lzma, ppmd8 and bzip2 decompression in ZIP files
Oct 06, 2018: RAR 5.0 reader
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|\
| |
| | |
Bump openSSL to 1.0.2s
|
| |
| |
| |
| |
| |
| | |
This is a bugfix only release.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|/
|
|
|
|
|
|
| |
There's nothing important in this release other than a few minor bugfixes. The other alternative was to roll bundler forward to 1.17.3 so that the embedded rubygems bundler matched, but this meant we had bundler 1.17.2 built into ruby 2.6.3 and then 1.17.3 installed on top of that. There's little value in that and it bloats our package size. Let's not do that unless there's a critical bug or CVE we need in rubygems / bundler.
This also bumps omnibus-software to include the new ruby cleanup def that fails if we have double bundler and the new rubygems def that removes the rubygems-update gem once rubygems is installed.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
since we use double quotes, be consistent everywhere.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
|
|
|
| |
This is a really small release with just a few minor bugfixes and a
giant pile of fixes to their test / ci setup.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
| |
Prevent having double bundler installs. There's nothing of value in the
.3 release and this just makes Chef bigger.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This includes a few minor bugfixes and support for the new Japanese calendar. I also further pruned the gem groups to match the current ones in our Gemfile.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
A pile of bugfixes
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
| |
Bump to the latest and greatest Ruby
Pin Rake to 12.3.2 since that's what ships in Ruby
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This updates the rubygems (which we already do) and also fixes a few bugs.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This resolves several CVEs as well as a few bugs.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This resolves a minor CVE that doesn't impact Chef, but should get fixed anyways.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
Bump Chef 15 to the latest and greatest rubygems.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new omnibus-software includes a patch I added to fix compilation
failures on non C99 compatible compilers with 2.6.0.
The omnibus release that gets pulled in is also necessary for Ruby 2.6 on macOS
The new nokogiri supports windows on Ruby 2.6, which the previous
version did not.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
| |
These are the last versions of these stable releases. We may want to go
bundler 2.0 / rubygems 3.0, but this is a solid first step.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
Round 2
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this we end up with chef-client's definition using the version
of ohai in the gemfile.lock and the ohai defintion using whatever is in
master. This is bad for two reasons:
1. we're shipping an unreleased master version even when we ship chef 13
or chef 14
2. we ship the ohai gem twice which takes up space on disk
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
| |
Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
Timing vulnerability in DSA signature generation (CVE-2018-0734)
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This resolves several CVEs and fixes a large number of bugs.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
A large number of bugfixes
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
| |
Update the readme with the correct rake tasks to build chef
Fix a typo in the rake comments
Add a comment we have in DK to remind folks that they need to update the deps after changing the overrides.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
| |
Resolves:
Client DoS due to large DH parameter (CVE-2018-0732)
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
Broke builds
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This addresses https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
This reverts commit a67304414d83b06ea16cb92ca28ec0d5d0572028.
|
|
|
|
|
|
| |
1.0.2 goes EOL in 2019-12-31 so we should get off that
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
|
|
| |
already working for kitchen-appbundle-updater in travis
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
|
|
| |
Resolves CVE-2017-15412
Signed-off-by: Tim Smith <tsmith@chef.io>
|
| |
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
|
|
|
|
|
| |
This resolves this CVE https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
It also backports a few bugfixes from 2.5.0:
https://github.com/ruby/ruby/compare/v2_4_2...v2_4_3
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
openssl:
CVE-2017-3736 (OpenSSL advisory) [Moderate severity] 2nd November 2017:
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. Reported by Google OSS-Fuzz.
CVE-2017-3735 (OpenSSL advisory) [Low severity] 28th August 2017:
While parsing an IPAdressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. Reported by Google OSS-Fuzz.
rubygems:
Whitelist classes and symbols that are in loaded YAML. See CVE-2017-0903 for full details. Fix by Aaron Patterson.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
Minor bug fixes and updated vendored libs that we've already bumped to.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
| |
It's 1.15 in Chef 12. I think when omnibus overrides were changed around
this slipped through the cracks.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxml2:
A GIANT list of bugfixes and these CVEs:
CVE-2017-9050
CVE-2017-9049
CVE-2017-9048
CVE-2017-9047
CVE-2017-8872
CVE-2016-9318
https://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-3311/Xmlsoft-Libxml2.html
libxslt:
- Fixes bad memory handling and null derefs plus a GIANT list of bug
libyaml:
* Fixed segfault in yaml_string_write_handler.
* Fixed invalid simple key assertion.
* Fixed error handling in some examples (thank to Mathias Svensson).
* Removed obsolete VS project files.
openssl:
CVE-2017-3731 (OpenSSL advisory) [Moderate severity] 26th January 2017:
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k Reported by Robert Święcki of Google.
CVE-2017-3732 (OpenSSL advisory) [Moderate severity] 26th January 2017:
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem. Reported by OSS-Fuzz project.
CVE-2016-7055 (OpenSSL advisory) [Low severity] 10th November 2016:
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.ctures using a callback which do not handle NULL value are affected. Reported by Publicly reported.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: jakauppila <Jared@Kauppi.la>
|
|
|
|
|
|
|
|
|
| |
this hand-builds it with the software dep, and its not a direct dep of
chef itself and shouldn't be in the Gemfile.lock anyway, plus we need
to pin via omnibus_overrides.rb and double-pinning in the Gemfile.lock
is just added fussiness
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|