From 2b163f9e7af3af93b445b5340296305299453f29 Mon Sep 17 00:00:00 2001
From: Tim Smith <tsmith@chef.io>
Date: Thu, 29 Mar 2018 10:10:21 -0700
Subject: Bump Ruby to 2.5.1 and update release notes

https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/

Signed-off-by: Tim Smith <tsmith@chef.io>
---
 Gemfile.lock         | 14 +++++++-------
 RELEASE_NOTES.md     | 17 +++++++++++++++++
 omnibus/Gemfile.lock | 12 ++++++------
 omnibus_overrides.rb |  2 +-
 4 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index c9a72bbdd1..79e9d1e8ef 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -105,13 +105,13 @@ GEM
       mixlib-cli (~> 1.4)
       mixlib-shellout (~> 2.0)
     ast (2.4.0)
-    aws-sdk (2.11.22)
-      aws-sdk-resources (= 2.11.22)
-    aws-sdk-core (2.11.22)
+    aws-sdk (2.11.24)
+      aws-sdk-resources (= 2.11.24)
+    aws-sdk-core (2.11.24)
       aws-sigv4 (~> 1.0)
       jmespath (~> 1.0)
-    aws-sdk-resources (2.11.22)
-      aws-sdk-core (= 2.11.22)
+    aws-sdk-resources (2.11.24)
+      aws-sdk-core (= 2.11.24)
     aws-sigv4 (1.0.2)
     azure_mgmt_resources (0.16.0)
       ms_rest_azure (~> 0.10.0)
@@ -145,7 +145,7 @@ GEM
     erubis (2.7.0)
     ethon (0.11.0)
       ffi (>= 1.3.0)
-    excon (0.61.0)
+    excon (0.62.0)
     faraday (0.14.0)
       multipart-post (>= 1.2, < 3)
     faraday-cookie_jar (0.0.6)
@@ -348,7 +348,7 @@ GEM
     thor (0.20.0)
     timeliness (0.3.8)
     tomlrb (1.2.6)
-    train (1.2.0)
+    train (1.3.0)
       aws-sdk (~> 2)
       azure_mgmt_resources (~> 0.15)
       docker-api (~> 1.26)
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 184e25231b..1f84235c24 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -312,6 +312,23 @@ Since our supported Windows platforms can all run .NET Framework 4.0 and PowerSh
 
 Chef now includes a new log level of `:trace` in addition to the existing `:info`, `:warn`, and `:debug` levels. With the introduction of `trace` level logging we've moved a large amount of logging that is more useful for Chef developers from `debug` to `trace`. This makes it easier for Chef Cookbook developers to use `debug` level to get useful information.
 
+## Security Updates
+
+### OpenSSL
+
+OpenSSL has been updated to 1.0.2o to resolve [CVE-2018-0739](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739)
+
+### Ruby
+
+Ruby has been updated to 2.5.1 to resolve the following vulnerabilities:
+- https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
+- https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
+- https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
+- https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
+- https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
+- https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
+- https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
+
 ## Breaking Changes
 
 This release completes the deprecation process for many of the deprecations that were warnings throughout the Chef 12 and Chef 13 releases.
diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock
index 446f5394a3..600a6d0428 100644
--- a/omnibus/Gemfile.lock
+++ b/omnibus/Gemfile.lock
@@ -18,7 +18,7 @@ GIT
 
 GIT
   remote: https://github.com/chef/omnibus-software
-  revision: 23282b98937a697f6c2009b2d22b5c5fdaf87c38
+  revision: 75ae88adb7d6b51038d92d1cfb40dec5fded9650
   branch: master
   specs:
     omnibus-software (4.0.0)
@@ -31,13 +31,13 @@ GEM
     addressable (2.5.2)
       public_suffix (>= 2.0.2, < 4.0)
     awesome_print (1.8.0)
-    aws-sdk (2.11.22)
-      aws-sdk-resources (= 2.11.22)
-    aws-sdk-core (2.11.22)
+    aws-sdk (2.11.24)
+      aws-sdk-resources (= 2.11.24)
+    aws-sdk-core (2.11.24)
       aws-sigv4 (~> 1.0)
       jmespath (~> 1.0)
-    aws-sdk-resources (2.11.22)
-      aws-sdk-core (= 2.11.22)
+    aws-sdk-resources (2.11.24)
+      aws-sdk-core (= 2.11.24)
     aws-sigv4 (1.0.2)
     berkshelf (4.3.5)
       addressable (~> 2.3, >= 2.3.4)
diff --git a/omnibus_overrides.rb b/omnibus_overrides.rb
index 7498a97886..1d2b46bdbe 100644
--- a/omnibus_overrides.rb
+++ b/omnibus_overrides.rb
@@ -14,7 +14,7 @@ override "libyaml", version: "0.1.7"
 override "makedepend", version: "1.0.5"
 override "ncurses", version: "5.9"
 override "pkg-config-lite", version: "0.28-1"
-override "ruby", version: "2.5.0"
+override "ruby", version: "2.5.1"
 override "ruby-windows-devkit-bash", version: "3.1.23-4-msys-1.0.18"
 override "util-macros", version: "1.19.0"
 override "xproto", version: "7.0.28"
-- 
cgit v1.2.1