Commit 7a49d199 authored by Robert Speicher's avatar Robert Speicher Committed by Jose Ivan Vargas

Merge branch 'fix/gem-security-updates' into 'master'

Upgrade mail and nokogiri gems due to security issues

See merge request !13662
parent 789cc678
...@@ -27,7 +27,7 @@ gem 'doorkeeper-openid_connect', '~> 1.1.0' ...@@ -27,7 +27,7 @@ gem 'doorkeeper-openid_connect', '~> 1.1.0'
gem 'omniauth', '~> 1.4.2' gem 'omniauth', '~> 1.4.2'
gem 'omniauth-auth0', '~> 1.4.1' gem 'omniauth-auth0', '~> 1.4.1'
gem 'omniauth-azure-oauth2', '~> 0.0.6' gem 'omniauth-azure-oauth2', '~> 0.0.6'
gem 'omniauth-cas3', '~> 1.1.2' gem 'omniauth-cas3', '~> 1.1.4'
gem 'omniauth-facebook', '~> 4.0.0' gem 'omniauth-facebook', '~> 4.0.0'
gem 'omniauth-github', '~> 1.1.1' gem 'omniauth-github', '~> 1.1.1'
gem 'omniauth-gitlab', '~> 1.0.2' gem 'omniauth-gitlab', '~> 1.0.2'
...@@ -126,12 +126,9 @@ gem 'wikicloth', '0.8.1' ...@@ -126,12 +126,9 @@ gem 'wikicloth', '0.8.1'
gem 'asciidoctor', '~> 1.5.2' gem 'asciidoctor', '~> 1.5.2'
gem 'asciidoctor-plantuml', '0.0.7' gem 'asciidoctor-plantuml', '0.0.7'
gem 'rouge', '~> 2.0' gem 'rouge', '~> 2.0'
gem 'truncato', '~> 0.7.8' gem 'truncato', '~> 0.7.9'
gem 'bootstrap_form', '~> 2.7.0' gem 'bootstrap_form', '~> 2.7.0'
gem 'nokogiri', '~> 1.8.0'
# See https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
# and https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
gem 'nokogiri', '~> 1.6.7', '>= 1.6.7.2'
# Diffs # Diffs
gem 'diffy', '~> 3.1.0' gem 'diffy', '~> 3.1.0'
...@@ -250,7 +247,7 @@ gem 'uglifier', '~> 2.7.2' ...@@ -250,7 +247,7 @@ gem 'uglifier', '~> 2.7.2'
gem 'addressable', '~> 2.3.8' gem 'addressable', '~> 2.3.8'
gem 'bootstrap-sass', '~> 3.3.0' gem 'bootstrap-sass', '~> 3.3.0'
gem 'font-awesome-rails', '~> 4.7' gem 'font-awesome-rails', '~> 4.7'
gem 'gemojione', '~> 3.0' gem 'gemojione', '~> 3.3'
gem 'gon', '~> 6.1.0' gem 'gon', '~> 6.1.0'
gem 'jquery-atwho-rails', '~> 1.3.2' gem 'jquery-atwho-rails', '~> 1.3.2'
gem 'jquery-rails', '~> 4.1.0' gem 'jquery-rails', '~> 4.1.0'
......
...@@ -256,7 +256,7 @@ GEM ...@@ -256,7 +256,7 @@ GEM
ruby-progressbar (~> 1.4) ruby-progressbar (~> 1.4)
gemnasium-gitlab-service (0.2.6) gemnasium-gitlab-service (0.2.6)
rugged (~> 0.21) rugged (~> 0.21)
gemojione (3.0.1) gemojione (3.3.0)
json json
get_process_mem (0.2.0) get_process_mem (0.2.0)
gettext (3.2.2) gettext (3.2.2)
...@@ -278,7 +278,7 @@ GEM ...@@ -278,7 +278,7 @@ GEM
escape_utils (~> 1.1.0) escape_utils (~> 1.1.0)
mime-types (>= 1.19) mime-types (>= 1.19)
rugged (>= 0.23.0b) rugged (>= 0.23.0b)
github-markup (1.4.0) github-markup (1.6.1)
gitlab-flowdock-git-hook (1.0.1) gitlab-flowdock-git-hook (1.0.1)
flowdock (~> 0.7) flowdock (~> 0.7)
gitlab-grit (>= 2.4.1) gitlab-grit (>= 2.4.1)
...@@ -298,13 +298,14 @@ GEM ...@@ -298,13 +298,14 @@ GEM
activesupport (>= 4.1.0) activesupport (>= 4.1.0)
gollum-grit_adapter (1.0.1) gollum-grit_adapter (1.0.1)
gitlab-grit (~> 2.7, >= 2.7.1) gitlab-grit (~> 2.7, >= 2.7.1)
gollum-lib (4.2.1) gollum-lib (4.2.7)
github-markup (~> 1.4.0) gemojione (~> 3.2)
github-markup (~> 1.6)
gollum-grit_adapter (~> 1.0) gollum-grit_adapter (~> 1.0)
nokogiri (~> 1.6.4) nokogiri (>= 1.6.1, < 2.0)
rouge (~> 2.0) rouge (~> 2.1)
sanitize (~> 2.1.0) sanitize (~> 2.1)
stringex (~> 2.5.1) stringex (~> 2.6)
gollum-rugged_adapter (0.4.4) gollum-rugged_adapter (0.4.4)
mime-types (>= 1.15) mime-types (>= 1.15)
rugged (~> 0.25) rugged (~> 0.25)
...@@ -466,14 +467,14 @@ GEM ...@@ -466,14 +467,14 @@ GEM
railties (>= 4, < 5.2) railties (>= 4, < 5.2)
loofah (2.0.3) loofah (2.0.3)
nokogiri (>= 1.5.9) nokogiri (>= 1.5.9)
mail (2.6.5) mail (2.6.6)
mime-types (>= 1.16, < 4) mime-types (>= 1.16, < 4)
mail_room (0.9.1) mail_room (0.9.1)
memoist (0.15.0) memoist (0.15.0)
method_source (0.8.2) method_source (0.8.2)
mime-types (2.99.3) mime-types (2.99.3)
mimemagic (0.3.0) mimemagic (0.3.0)
mini_portile2 (2.1.0) mini_portile2 (2.2.0)
minitest (5.7.0) minitest (5.7.0)
mmap2 (2.2.7) mmap2 (2.2.7)
mousetrap-rails (1.4.6) mousetrap-rails (1.4.6)
...@@ -487,8 +488,8 @@ GEM ...@@ -487,8 +488,8 @@ GEM
net-ldap (0.16.0) net-ldap (0.16.0)
net-ssh (4.1.0) net-ssh (4.1.0)
netrc (0.11.0) netrc (0.11.0)
nokogiri (1.6.8.1) nokogiri (1.8.0)
mini_portile2 (~> 2.1.0) mini_portile2 (~> 2.2.0)
numerizer (0.1.1) numerizer (0.1.1)
oauth (0.5.1) oauth (0.5.1)
oauth2 (1.4.0) oauth2 (1.4.0)
...@@ -511,9 +512,9 @@ GEM ...@@ -511,9 +512,9 @@ GEM
jwt (~> 1.0) jwt (~> 1.0)
omniauth (~> 1.0) omniauth (~> 1.0)
omniauth-oauth2 (~> 1.1) omniauth-oauth2 (~> 1.1)
omniauth-cas3 (1.1.3) omniauth-cas3 (1.1.4)
addressable (~> 2.3) addressable (~> 2.3)
nokogiri (~> 1.6.6) nokogiri (~> 1.7, >= 1.7.1)
omniauth (~> 1.2) omniauth (~> 1.2)
omniauth-facebook (4.0.0) omniauth-facebook (4.0.0)
omniauth-oauth2 (~> 1.2) omniauth-oauth2 (~> 1.2)
...@@ -601,7 +602,7 @@ GEM ...@@ -601,7 +602,7 @@ GEM
cliver (~> 0.3.1) cliver (~> 0.3.1)
multi_json (~> 1.0) multi_json (~> 1.0)
websocket-driver (>= 0.2.0) websocket-driver (>= 0.2.0)
posix-spawn (0.3.11) posix-spawn (0.3.13)
powerpack (0.1.1) powerpack (0.1.1)
premailer (1.10.4) premailer (1.10.4)
addressable addressable
...@@ -855,7 +856,7 @@ GEM ...@@ -855,7 +856,7 @@ GEM
state_machines-activerecord (0.4.0) state_machines-activerecord (0.4.0)
activerecord (>= 4.1, < 5.1) activerecord (>= 4.1, < 5.1)
state_machines-activemodel (>= 0.3.0) state_machines-activemodel (>= 0.3.0)
stringex (2.5.2) stringex (2.7.1)
sys-filesystem (1.1.6) sys-filesystem (1.1.6)
ffi ffi
sysexits (1.2.0) sysexits (1.2.0)
...@@ -874,9 +875,9 @@ GEM ...@@ -874,9 +875,9 @@ GEM
timfel-krb5-auth (0.8.3) timfel-krb5-auth (0.8.3)
toml-rb (0.3.15) toml-rb (0.3.15)
citrus (~> 3.0, > 3.0) citrus (~> 3.0, > 3.0)
truncato (0.7.8) truncato (0.7.10)
htmlentities (~> 4.3.1) htmlentities (~> 4.3.1)
nokogiri (~> 1.6.1) nokogiri (~> 1.8.0, >= 1.7.0)
tzinfo (1.2.3) tzinfo (1.2.3)
thread_safe (~> 0.1) thread_safe (~> 0.1)
u2f (0.2.1) u2f (0.2.1)
...@@ -992,7 +993,7 @@ DEPENDENCIES ...@@ -992,7 +993,7 @@ DEPENDENCIES
foreman (~> 0.78.0) foreman (~> 0.78.0)
fuubar (~> 2.2.0) fuubar (~> 2.2.0)
gemnasium-gitlab-service (~> 0.2) gemnasium-gitlab-service (~> 0.2)
gemojione (~> 3.0) gemojione (~> 3.3)
gettext (~> 3.2.2) gettext (~> 3.2.2)
gettext_i18n_rails (~> 1.8.0) gettext_i18n_rails (~> 1.8.0)
gettext_i18n_rails_js (~> 1.2.0) gettext_i18n_rails_js (~> 1.2.0)
...@@ -1038,7 +1039,7 @@ DEPENDENCIES ...@@ -1038,7 +1039,7 @@ DEPENDENCIES
mysql2 (~> 0.4.5) mysql2 (~> 0.4.5)
net-ldap net-ldap
net-ssh (~> 4.1.0) net-ssh (~> 4.1.0)
nokogiri (~> 1.6.7, >= 1.6.7.2) nokogiri (~> 1.8.0)
oauth2 (~> 1.4) oauth2 (~> 1.4)
octokit (~> 4.6.2) octokit (~> 4.6.2)
oj (~> 2.17.4) oj (~> 2.17.4)
...@@ -1046,7 +1047,7 @@ DEPENDENCIES ...@@ -1046,7 +1047,7 @@ DEPENDENCIES
omniauth-auth0 (~> 1.4.1) omniauth-auth0 (~> 1.4.1)
omniauth-authentiq (~> 0.3.1) omniauth-authentiq (~> 0.3.1)
omniauth-azure-oauth2 (~> 0.0.6) omniauth-azure-oauth2 (~> 0.0.6)
omniauth-cas3 (~> 1.1.2) omniauth-cas3 (~> 1.1.4)
omniauth-facebook (~> 4.0.0) omniauth-facebook (~> 4.0.0)
omniauth-github (~> 1.1.1) omniauth-github (~> 1.1.1)
omniauth-gitlab (~> 1.0.2) omniauth-gitlab (~> 1.0.2)
...@@ -1135,7 +1136,7 @@ DEPENDENCIES ...@@ -1135,7 +1136,7 @@ DEPENDENCIES
thin (~> 1.7.0) thin (~> 1.7.0)
timecop (~> 0.8.0) timecop (~> 0.8.0)
toml-rb (~> 0.3.15) toml-rb (~> 0.3.15)
truncato (~> 0.7.8) truncato (~> 0.7.9)
u2f (~> 0.2.1) u2f (~> 0.2.1)
uglifier (~> 2.7.2) uglifier (~> 2.7.2)
underscore-rails (~> 1.8.0) underscore-rails (~> 1.8.0)
......
---
title: Upgrade mail and nokogiri gems due to security issues
merge_request: 13662
author: Markus Koller
type: security
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
require ::File.expand_path('../lib/gitlab/popen', __dir__) require ::File.expand_path('../lib/gitlab/popen', __dir__)
tasks = [ tasks = [
%w[bundle exec bundle-audit check --update --ignore CVE-2016-4658 CVE-2017-5029], %w[bundle exec bundle-audit check --update],
%w[bundle exec rake config_lint], %w[bundle exec rake config_lint],
%w[bundle exec rake flay], %w[bundle exec rake flay],
%w[bundle exec rake haml_lint], %w[bundle exec rake haml_lint],
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment