Commit 95336861 authored by Stan Hu's avatar Stan Hu

Merge branch 'redcloth-4-3-2-cve-2012-6684' into 'master'

Update RedCloth to 4.3.2 for CVE-2012-6684

## What does this MR do?

To fix XSS (CVE-2012-6684), upgrade RedCloth to 4.3.2.

## Are there points in the code the reviewer needs to double check?

No.

## Why was this MR needed?

Security vulnerability in RedCloth (CVE-2012-6684) should be fixed to provide GitLab as a secure software.

## What are the relevant issue numbers?

Closes #19169 

cf. !2037, !2071

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [n/a] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [n/a] API support added
- Tests
  - [n/a] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4929
parents 328fbd82 a034374f
...@@ -38,6 +38,7 @@ v 8.9.5 (unreleased) ...@@ -38,6 +38,7 @@ v 8.9.5 (unreleased)
- Show "locked" label for locked runners on runners admin. !4961 - Show "locked" label for locked runners on runners admin. !4961
- Fixes issues importing events in Import/Export. Import/Export version bumped to 0.1.1 - Fixes issues importing events in Import/Export. Import/Export version bumped to 0.1.1
- Fix import button disabled when import process fail due to the namespace already been taken. - Fix import button disabled when import process fail due to the namespace already been taken.
- Security: Update RedCloth to 4.3.2 (Takuya Noguchi)
v 8.9.4 v 8.9.4
- Fix privilege escalation issue with OAuth external users. - Fix privilege escalation issue with OAuth external users.
......
...@@ -107,7 +107,7 @@ gem 'html-pipeline', '~> 1.11.0' ...@@ -107,7 +107,7 @@ gem 'html-pipeline', '~> 1.11.0'
gem 'task_list', '~> 1.0.2', require: 'task_list/railtie' gem 'task_list', '~> 1.0.2', require: 'task_list/railtie'
gem 'github-markup', '~> 1.3.1' gem 'github-markup', '~> 1.3.1'
gem 'redcarpet', '~> 3.3.3' gem 'redcarpet', '~> 3.3.3'
gem 'RedCloth', '~> 4.2.9' gem 'RedCloth', '~> 4.3.2'
gem 'rdoc', '~>3.6' gem 'rdoc', '~>3.6'
gem 'org-ruby', '~> 0.9.12' gem 'org-ruby', '~> 0.9.12'
gem 'creole', '~> 0.5.0' gem 'creole', '~> 0.5.0'
......
GEM GEM
remote: https://rubygems.org/ remote: https://rubygems.org/
specs: specs:
RedCloth (4.2.9) RedCloth (4.3.2)
ace-rails-ap (4.0.2) ace-rails-ap (4.0.2)
actionmailer (4.2.6) actionmailer (4.2.6)
actionpack (= 4.2.6) actionpack (= 4.2.6)
...@@ -803,7 +803,7 @@ PLATFORMS ...@@ -803,7 +803,7 @@ PLATFORMS
ruby ruby
DEPENDENCIES DEPENDENCIES
RedCloth (~> 4.2.9) RedCloth (~> 4.3.2)
ace-rails-ap (~> 4.0.2) ace-rails-ap (~> 4.0.2)
activerecord-session_store (~> 1.0.0) activerecord-session_store (~> 1.0.0)
acts-as-taggable-on (~> 3.4) acts-as-taggable-on (~> 3.4)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment