| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
bumps to bundler 2.1.2 and rubygems 3.1.2 because ruby 2.7 comes with those
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
|
|
| |
This resolves a CVE. in openssl 1.0.2t
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
| |
Signed-off-by: Ernie Hershey <github@ernie.org>
|
|
|
|
|
|
| |
Resolve multiple CVEs in these libs
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
Somehow we missed the actual openssl 1.0.2t bump. We need this train bump to fix a bug in bootstrap that had to happen on the train side.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Christopher A. Snapp <csnapp@chef.io>
|
|
|
|
|
|
| |
I removed the travis skips, but the comments were still there.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
| |
https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md#1104--2019-08-11
https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
May 18, 2019: Fixes for reading Android APK and JAR archives
Apr 16, 2019: Support for non-recursive list and extract
Apr 14, 2019: New tar option: --exclude-vcs
Mar 27, 2019: Support for file and directory symlinks on Windows
Mar 12, 2019: Important fixes for storing file attributes and flags
Jan 20, 2019: Support for xz, lzma, ppmd8 and bzip2 decompression in ZIP files
Oct 06, 2018: RAR 5.0 reader
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|\
| |
| | |
Bump openSSL to 1.0.2s
|
| |
| |
| |
| |
| |
| | |
This is a bugfix only release.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|/
|
|
|
|
|
|
| |
There's nothing important in this release other than a few minor bugfixes. The other alternative was to roll bundler forward to 1.17.3 so that the embedded rubygems bundler matched, but this meant we had bundler 1.17.2 built into ruby 2.6.3 and then 1.17.3 installed on top of that. There's little value in that and it bloats our package size. Let's not do that unless there's a critical bug or CVE we need in rubygems / bundler.
This also bumps omnibus-software to include the new ruby cleanup def that fails if we have double bundler and the new rubygems def that removes the rubygems-update gem once rubygems is installed.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
since we use double quotes, be consistent everywhere.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
|
|
|
| |
This is a really small release with just a few minor bugfixes and a
giant pile of fixes to their test / ci setup.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
| |
Prevent having double bundler installs. There's nothing of value in the
.3 release and this just makes Chef bigger.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This includes a few minor bugfixes and support for the new Japanese calendar. I also further pruned the gem groups to match the current ones in our Gemfile.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
A pile of bugfixes
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
| |
Bump to the latest and greatest Ruby
Pin Rake to 12.3.2 since that's what ships in Ruby
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This updates the rubygems (which we already do) and also fixes a few bugs.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This resolves several CVEs as well as a few bugs.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This resolves a minor CVE that doesn't impact Chef, but should get fixed anyways.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
Bump Chef 15 to the latest and greatest rubygems.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new omnibus-software includes a patch I added to fix compilation
failures on non C99 compatible compilers with 2.6.0.
The omnibus release that gets pulled in is also necessary for Ruby 2.6 on macOS
The new nokogiri supports windows on Ruby 2.6, which the previous
version did not.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
| |
These are the last versions of these stable releases. We may want to go
bundler 2.0 / rubygems 3.0, but this is a solid first step.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
Round 2
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this we end up with chef-client's definition using the version
of ohai in the gemfile.lock and the ohai defintion using whatever is in
master. This is bad for two reasons:
1. we're shipping an unreleased master version even when we ship chef 13
or chef 14
2. we ship the ohai gem twice which takes up space on disk
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
| |
Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
Timing vulnerability in DSA signature generation (CVE-2018-0734)
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This resolves several CVEs and fixes a large number of bugs.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
A large number of bugfixes
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
| |
Update the readme with the correct rake tasks to build chef
Fix a typo in the rake comments
Add a comment we have in DK to remind folks that they need to update the deps after changing the overrides.
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
| |
Resolves:
Client DoS due to large DH parameter (CVE-2018-0732)
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
Broke builds
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
| |
This addresses https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
This reverts commit a67304414d83b06ea16cb92ca28ec0d5d0572028.
|
|
|
|
|
|
| |
1.0.2 goes EOL in 2019-12-31 so we should get off that
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
|
|
| |
already working for kitchen-appbundle-updater in travis
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
|
|
| |
Resolves CVE-2017-15412
Signed-off-by: Tim Smith <tsmith@chef.io>
|
| |
|
|
|
|
| |
Signed-off-by: Thom May <thom@chef.io>
|
|
|
|
|
|
|
|
|
| |
This resolves this CVE https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
It also backports a few bugfixes from 2.5.0:
https://github.com/ruby/ruby/compare/v2_4_2...v2_4_3
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737
Signed-off-by: Tim Smith <tsmith@chef.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
openssl:
CVE-2017-3736 (OpenSSL advisory) [Moderate severity] 2nd November 2017:
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. Reported by Google OSS-Fuzz.
CVE-2017-3735 (OpenSSL advisory) [Low severity] 28th August 2017:
While parsing an IPAdressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. Reported by Google OSS-Fuzz.
rubygems:
Whitelist classes and symbols that are in loaded YAML. See CVE-2017-0903 for full details. Fix by Aaron Patterson.
Signed-off-by: Tim Smith <tsmith@chef.io>
|