summaryrefslogtreecommitdiff
path: root/omnibus_overrides.rb
Commit message (Collapse)AuthorAgeFilesLines
* Update libarchive to 3.4.2 and nokogiri to 1.10.8Tim Smith2020-02-191-2/+2
| | | | Signed-off-by: Tim Smith <tsmith@chef.io>
* Add ruby 2.7 testingLamont Granquist2020-01-281-2/+2
| | | | | | bumps to bundler 2.1.2 and rubygems 3.1.2 because ruby 2.7 comes with those Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
* Update openssl to 1.0.2uTim Smith2020-01-161-1/+1
| | | | | | This resolves a CVE. in openssl 1.0.2t Signed-off-by: Tim Smith <tsmith@chef.io>
* Tiny spelling typo and grammarErnie Hershey2019-12-041-1/+1
| | | Signed-off-by: Ernie Hershey <github@ernie.org>
* Update lixml2, libxslt, and nokogiri to the latestbump_lib_depsTim Smith2019-11-041-3/+3
| | | | | | Resolve multiple CVEs in these libs Signed-off-by: Tim Smith <tsmith@chef.io>
* Require train ~3.1 for bootstrapping and openssl 1.0.2tbumps_2019Tim Smith2019-10-081-1/+1
| | | | | | Somehow we missed the actual openssl 1.0.2t bump. We need this train bump to fix a bug in bootstrap that had to happen on the train side. Signed-off-by: Tim Smith <tsmith@chef.io>
* Bump Ruby to 2.6.5 to address CVEs #8951Christopher A. Snapp2019-10-021-1/+1
| | | | Signed-off-by: Christopher A. Snapp <csnapp@chef.io>
* Remove some references to Travis from code commentsnuke_travisTim Smith2019-09-161-2/+1
| | | | | | I removed the travis skips, but the comments were still there. Signed-off-by: Tim Smith <tsmith@chef.io>
* Update Ruby to 2.6.4 and nokogori to 10.10.4 to resolve CVEsTim Smith2019-09-091-2/+2
| | | | | | | | https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md#1104--2019-08-11 https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/ Signed-off-by: Tim Smith <tsmith@chef.io>
* Update libarchive to 3.4.0 and pin in omnibus_overrides.rbTim Smith2019-09-041-2/+3
| | | | | | | | | | | | | | | | | | May 18, 2019: Fixes for reading Android APK and JAR archives Apr 16, 2019: Support for non-recursive list and extract Apr 14, 2019: New tar option: --exclude-vcs Mar 27, 2019: Support for file and directory symlinks on Windows Mar 12, 2019: Important fixes for storing file attributes and flags Jan 20, 2019: Support for xz, lzma, ppmd8 and bzip2 decompression in ZIP files Oct 06, 2018: RAR 5.0 reader Signed-off-by: Tim Smith <tsmith@chef.io>
* Merge pull request #8735 from chef/opensslTim Smith2019-07-101-1/+1
|\ | | | | Bump openSSL to 1.0.2s
| * Bump openSSL to 1.0.2sTim Smith2019-07-101-1/+1
| | | | | | | | | | | | This is a bugfix only release. Signed-off-by: Tim Smith <tsmith@chef.io>
* | Roll back Rubygems to 3.0.3 to prevent double bundler installTim Smith2019-07-101-1/+1
|/ | | | | | | | There's nothing important in this release other than a few minor bugfixes. The other alternative was to roll bundler forward to 1.17.3 so that the embedded rubygems bundler matched, but this meant we had bundler 1.17.2 built into ruby 2.6.3 and then 1.17.3 installed on top of that. There's little value in that and it bloats our package size. Let's not do that unless there's a critical bug or CVE we need in rubygems / bundler. This also bumps omnibus-software to include the new ruby cleanup def that fails if we have double bundler and the new rubygems def that removes the rubygems-update gem once rubygems is installed. Signed-off-by: Tim Smith <tsmith@chef.io>
* Style/StringLiteralsInInterpolationLamont Granquist2019-07-051-1/+1
| | | | | | since we use double quotes, be consistent everywhere. Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
* Update Rubygems to 3.0.4Tim Smith2019-06-241-1/+1
| | | | | | | This is a really small release with just a few minor bugfixes and a giant pile of fixes to their test / ci setup. Signed-off-by: Tim Smith <tsmith@chef.io>
* Pin bundler back to 1.17.2 which is built in RubyTim Smith2019-05-101-1/+1
| | | | | | | Prevent having double bundler installs. There's nothing of value in the .3 release and this just makes Chef bigger. Signed-off-by: Tim Smith <tsmith@chef.io>
* Update to Ruby 2.6.3Tim Smith2019-05-011-1/+1
| | | | | | This includes a few minor bugfixes and support for the new Japanese calendar. I also further pruned the gem groups to match the current ones in our Gemfile. Signed-off-by: Tim Smith <tsmith@chef.io>
* Update nokogiri to 1.10.2Tim Smith2019-04-031-1/+1
| | | | | | A pile of bugfixes Signed-off-by: Tim Smith <tsmith@chef.io>
* Install Ruby 2.6.2Tim Smith2019-04-011-1/+1
| | | | | | | Bump to the latest and greatest Ruby Pin Rake to 12.3.2 since that's what ships in Ruby Signed-off-by: Tim Smith <tsmith@chef.io>
* Update Ruby to 2.5.5Tim Smith2019-03-181-1/+1
| | | | | | This updates the rubygems (which we already do) and also fixes a few bugs. Signed-off-by: Tim Smith <tsmith@chef.io>
* Update rubygems to 3.0.3rubygems_bumpTim Smith2019-03-041-1/+1
| | | | | | This resolves several CVEs as well as a few bugs. Signed-off-by: Tim Smith <tsmith@chef.io>
* Update openssl to 1.0.2ropenssl_bump_rTim Smith2019-02-281-1/+1
| | | | | | This resolves a minor CVE that doesn't impact Chef, but should get fixed anyways. Signed-off-by: Tim Smith <tsmith@chef.io>
* Update libxml2 to 2.9.9libxml2_15Tim Smith2019-02-191-1/+1
| | | | Signed-off-by: Tim Smith <tsmith@chef.io>
* Update Rubygems to 3.0.2bump_rubygemsTim Smith2019-01-251-1/+1
| | | | | | Bump Chef 15 to the latest and greatest rubygems. Signed-off-by: Tim Smith <tsmith@chef.io>
* Use the latest omnibus-software and nokogiriTim Smith2019-01-231-1/+1
| | | | | | | | | | | | The new omnibus-software includes a patch I added to fix compilation failures on non C99 compatible compilers with 2.6.0. The omnibus release that gets pulled in is also necessary for Ruby 2.6 on macOS The new nokogiri supports windows on Ruby 2.6, which the previous version did not. Signed-off-by: Tim Smith <tsmith@chef.io>
* Update rubygems to 2.7.7 and bundler to 1.17.3Tim Smith2019-01-031-2/+2
| | | | | | | These are the last versions of these stable releases. We may want to go bundler 2.0 / rubygems 3.0, but this is a solid first step. Signed-off-by: Tim Smith <tsmith@chef.io>
* Fix locking ohai to to the value in the Gemfile.lockTim Smith2018-12-041-4/+7
| | | | | | Round 2 Signed-off-by: Tim Smith <tsmith@chef.io>
* Pin the ohai definition to use the ohai version from Gemfile.lockTim Smith2018-12-041-0/+5
| | | | | | | | | | | | Without this we end up with chef-client's definition using the version of ohai in the gemfile.lock and the ohai defintion using whatever is in master. This is bad for two reasons: 1. we're shipping an unreleased master version even when we ship chef 13 or chef 14 2. we ship the ohai gem twice which takes up space on disk Signed-off-by: Tim Smith <tsmith@chef.io>
* Update openssl to 1.0.2qTim Smith2018-11-221-1/+1
| | | | | | | Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) Timing vulnerability in DSA signature generation (CVE-2018-0734) Signed-off-by: Tim Smith <tsmith@chef.io>
* Update Ruby to 2.5.3Tim Smith2018-10-231-1/+1
| | | | | | This resolves several CVEs and fixes a large number of bugs. Signed-off-by: Tim Smith <tsmith@chef.io>
* Update Nokogiri to 1.8.5Tim Smith2018-10-151-1/+1
| | | | | | A large number of bugfixes Signed-off-by: Tim Smith <tsmith@chef.io>
* Update some build / updating instructions for developmentinstructionsTim Smith2018-08-241-0/+3
| | | | | | | | Update the readme with the correct rake tasks to build chef Fix a typo in the rake comments Add a comment we have in DK to remind folks that they need to update the deps after changing the overrides. Signed-off-by: Tim Smith <tsmith@chef.io>
* Update to openssl 1.0.2pTim Smith2018-08-141-1/+1
| | | | | | | | | Resolves: Client DoS due to large DH parameter (CVE-2018-0732) Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) Signed-off-by: Tim Smith <tsmith@chef.io>
* Back out the libxslt bumpTim Smith2018-06-121-1/+1
| | | | | | Broke builds Signed-off-by: Tim Smith <tsmith@chef.io>
* Update omnibus_override versionsTim Smith2018-06-121-2/+2
| | | | Signed-off-by: Tim Smith <tsmith@chef.io>
* Bump Ruby to 2.5.1 and update release notesruby_and_libxml2_cvesTim Smith2018-03-291-1/+1
| | | | | | | | | | | | https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/ https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/ https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/ https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/ https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ Signed-off-by: Tim Smith <tsmith@chef.io>
* Update openssl to 1.0.2oTim Smith2018-03-271-1/+1
| | | | | | This addresses https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739 Signed-off-by: Tim Smith <tsmith@chef.io>
* Revert "Upgrade to openssl 1.1"Tim Smith2018-03-231-1/+1
| | | | This reverts commit a67304414d83b06ea16cb92ca28ec0d5d0572028.
* Upgrade to openssl 1.1Tim Smith2018-03-231-1/+1
| | | | | | 1.0.2 goes EOL in 2019-12-31 so we should get off that Signed-off-by: Tim Smith <tsmith@chef.io>
* ruby-2.5 changesLamont Granquist2018-03-091-2/+2
| | | | Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
* use appbundler 0.11.1 for omnibus buildsLamont Granquist2018-03-011-1/+0
| | | | | | already working for kitchen-appbundle-updater in travis Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
* use the git tagLamont Granquist2018-02-281-1/+1
| | | | Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
* need to pin appbundler in omnibusLamont Granquist2018-02-281-0/+1
| | | | Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
* bump omnibus depsThom May2018-02-281-2/+2
| | | | Signed-off-by: Thom May <thom@chef.io>
* Update libxml2 to 2.9.7libxml2_chef14Tim Smith2018-02-201-1/+1
| | | | | | Resolves CVE-2017-15412 Signed-off-by: Tim Smith <tsmith@chef.io>
* Revert "Bump to ruby 2.5.0"Thom May2018-01-231-1/+1
|
* Bump to ruby 2.5.0Thom May2018-01-231-1/+1
| | | | Signed-off-by: Thom May <thom@chef.io>
* Update to Ruby 2.4.3ruby243Tim Smith2018-01-051-1/+1
| | | | | | | | | This resolves this CVE https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/ It also backports a few bugfixes from 2.5.0: https://github.com/ruby/ruby/compare/v2_4_2...v2_4_3 Signed-off-by: Tim Smith <tsmith@chef.io>
* Update for openssl 1.0.2n and inspec 1.48Tim Smith2017-12-071-1/+1
| | | | | | | | | Resolves: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3738 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737 Signed-off-by: Tim Smith <tsmith@chef.io>
* Bump openssl and rubygems to latestTim Smith2017-11-061-2/+2
| | | | | | | | | | | | | | | | openssl: CVE-2017-3736 (OpenSSL advisory) [Moderate severity] 2nd November 2017: There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. Reported by Google OSS-Fuzz. CVE-2017-3735 (OpenSSL advisory) [Low severity] 28th August 2017: While parsing an IPAdressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. Reported by Google OSS-Fuzz. rubygems: Whitelist classes and symbols that are in loaded YAML. See CVE-2017-0903 for full details. Fix by Aaron Patterson. Signed-off-by: Tim Smith <tsmith@chef.io>