Commit 3ddc0124 authored by Stan Hu's avatar Stan Hu

Update WEBrick to v1.6.1

Ruby ships with WEBrick v1.6.0, but v1.6.1 contains a fix for a CVE:
https://bugs.ruby-lang.org/issues/17201

We only use WEBrick for Sidekiq exporter to serve internal metrics, so
this CVE shouldn't be a user-facing issue.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/296224
parent a6994188
...@@ -331,6 +331,7 @@ gem 'snowplow-tracker', '~> 0.6.1' ...@@ -331,6 +331,7 @@ gem 'snowplow-tracker', '~> 0.6.1'
# Metrics # Metrics
group :metrics do group :metrics do
gem 'method_source', '~> 1.0', require: false gem 'method_source', '~> 1.0', require: false
gem 'webrick', '~> 1.6.1', require: false
# Prometheus # Prometheus
gem 'prometheus-client-mmap', '~> 0.12.0' gem 'prometheus-client-mmap', '~> 0.12.0'
......
...@@ -1248,6 +1248,7 @@ GEM ...@@ -1248,6 +1248,7 @@ GEM
addressable (>= 2.3.6) addressable (>= 2.3.6)
crack (>= 0.3.2) crack (>= 0.3.2)
hashdiff (>= 0.4.0, < 2.0.0) hashdiff (>= 0.4.0, < 2.0.0)
webrick (1.6.1)
websocket-driver (0.7.3) websocket-driver (0.7.3)
websocket-extensions (>= 0.1.0) websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.5) websocket-extensions (0.1.5)
...@@ -1531,6 +1532,7 @@ DEPENDENCIES ...@@ -1531,6 +1532,7 @@ DEPENDENCIES
vmstat (~> 2.3.0) vmstat (~> 2.3.0)
webauthn (~> 2.3) webauthn (~> 2.3)
webmock (~> 3.9.1) webmock (~> 3.9.1)
webrick (~> 1.6.1)
wikicloth (= 0.8.1) wikicloth (= 0.8.1)
yajl-ruby (~> 1.4.1) yajl-ruby (~> 1.4.1)
......
---
title: Update WEBrick to v1.6.1
merge_request: 50720
author:
type: security
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment