Update WEBrick to v1.6.1

Ruby ships with WEBrick v1.6.0, but v1.6.1 contains a fix for a CVE: https://bugs.ruby-lang.org/issues/17201 We only use WEBrick for Sidekiq exporter to serve internal metrics, so this CVE shouldn't be a user-facing issue. Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/296224

Update WEBrick to v1.6.1
Ruby ships with WEBrick v1.6.0, but v1.6.1 contains a fix for a CVE: https://bugs.ruby-lang.org/issues/17201 We only use WEBrick for Sidekiq exporter to serve internal metrics, so this CVE shouldn't be a user-facing issue. Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/296224
3ddc0124 · Stan Hu · a6994188 · 3ddc0124 · 3ddc0124 · 3ddc0124
Commit 3ddc0124 authored Dec 31, 2020 by Stan Hu
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

Gemfile Gemfile +1 -0

Gemfile.lock Gemfile.lock +2 -0

changelogs/unreleased/sh-upgrade-webrick-1-6-1.yml changelogs/unreleased/sh-upgrade-webrick-1-6-1.yml +5 -0

No files found.
--- a/Gemfile
+++ b/Gemfile
@@ -331,6 +331,7 @@ gem 'snowplow-tracker', '~> 0.6.1'
 # Metrics
 group :metrics do
  gem 'method_source', '~> 1.0', require: false
+  gem 'webrick', '~> 1.6.1', require: false

  # Prometheus
  gem 'prometheus-client-mmap', '~> 0.12.0'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1248,6 +1248,7 @@ GEM
      addressable (>= 2.3.6)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
+    webrick (1.6.1)
    websocket-driver (0.7.3)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
@@ -1531,6 +1532,7 @@ DEPENDENCIES
  vmstat (~> 2.3.0)
  webauthn (~> 2.3)
  webmock (~> 3.9.1)
+  webrick (~> 1.6.1)
  wikicloth (= 0.8.1)
  yajl-ruby (~> 1.4.1)


--- a/changelogs/unreleased/sh-upgrade-webrick-1-6-1.yml
+++ b/changelogs/unreleased/sh-upgrade-webrick-1-6-1.yml
+---
+title: Update WEBrick to v1.6.1
+merge_request: 50720
+author:
+type: security