diff --git a/Gemfile b/Gemfile
index 7653dad7b0..18404b15da 100644
--- a/Gemfile
+++ b/Gemfile
@@ -43,7 +43,6 @@ gem 'paranoia', '< 2.1.2' # uses 2.0 for testing (no explicit requirement, yet)
 gem 'prawn', '< 2.0' # 2.0 requires ruby 2.0
 gem 'prawn-table'
 gem 'protective'
-gem 'rack'
 gem 'rails-i18n'
 gem 'rails_autolink'
 gem 'rubyzip', '~> 1.2.2'
@@ -77,9 +76,12 @@ gem 'therubyracer', platforms: :ruby
 gem 'turbolinks'
 gem 'uglifier'
 
-# security updates, can be deleted if they get in the way of updates or so
+# security updates, can be deleted or changed if they get in the way of updates or so
+gem 'loofah', '~> 2.2.3'
+gem 'rack', '~> 1.6.11'
 gem 'sprockets', '~> 3.7.2'
 
+
 group :development, :test do
   gem 'binding_of_caller'
   gem 'codez-tarantula', require: 'tarantula-rails3'
diff --git a/Gemfile.lock b/Gemfile.lock
index 2407afc6f1..d7bafbf8de 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,8 +1,7 @@
 PATH
-  remote: ../hitobito_aolv
+  remote: ../hitobito_generic
   specs:
-    hitobito_aolv (1.18.9.0)
-      mailgun_rails
+    hitobito_generic (0.0.1)
 
 GEM
   remote: https://rubygems.org/
@@ -50,7 +49,8 @@ GEM
       tzinfo (~> 1.1)
     acts-as-taggable-on (3.5.0)
       activerecord (>= 3.2, < 5)
-    addressable (2.4.0)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
     afm (0.2.2)
     airbrake (4.3.4)
       builder
@@ -63,10 +63,11 @@ GEM
     awesome_nested_set (3.0.2)
       activerecord (>= 4.0.0, < 5)
     awesome_print (1.7.0)
-    axlsx (2.0.1)
-      htmlentities (~> 4.3.1)
-      nokogiri (>= 1.4.1)
-      rubyzip (~> 1.0.0)
+    axlsx (3.0.0.pre)
+      htmlentities (~> 4.3, >= 4.3.4)
+      mimemagic (~> 0.3)
+      nokogiri (~> 1.8, >= 1.8.2)
+      rubyzip (~> 1.2, >= 1.2.1)
     bcrypt (3.1.11)
     bcrypt-ruby (3.1.5)
       bcrypt (>= 3.1.3)
@@ -78,15 +79,17 @@ GEM
       railties (>= 3.0)
     brakeman (3.5.0)
     builder (3.2.3)
-    byebug (10.0.2)
+    bullet (5.5.1)
+      activesupport (>= 3.0.0)
+      uniform_notifier (~> 1.10.0)
     cancancan (1.12.0)
-    capybara (2.12.1)
+    capybara (2.18.0)
       addressable
-      mime-types (>= 1.16)
+      mini_mime (>= 0.1.3)
       nokogiri (>= 1.3.3)
       rack (>= 1.0.0)
       rack-test (>= 0.5.4)
-      xpath (~> 2.0)
+      xpath (>= 2.0, < 4.0)
     capybara-screenshot (1.0.14)
       capybara (>= 1.0, < 3)
       launchy
@@ -95,7 +98,7 @@ GEM
       activesupport (>= 3.2.0)
       json (>= 1.7)
       mime-types (>= 1.16)
-    childprocess (0.6.2)
+    childprocess (0.9.0)
       ffi (~> 1.0, >= 1.0.11)
     choice (0.2.0)
     chosen-rails (1.5.2)
@@ -123,6 +126,7 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.12.2)
+    columnize (0.9.0)
     compass (1.0.3)
       chunky_png (~> 1.2)
       compass-core (~> 1.0.2)
@@ -149,6 +153,7 @@ GEM
     country_select (2.5.1)
       countries (~> 1.2.0)
       sort_alphabetical (~> 1.0)
+    crass (1.0.4)
     currencies (0.4.2)
     customized_piwik_analytics (1.0.4)
       actionpack
@@ -158,6 +163,12 @@ GEM
     dalli (2.7.6)
     database_cleaner (1.5.3)
     debug_inspector (0.0.2)
+    debugger (1.6.8)
+      columnize (>= 0.3.1)
+      debugger-linecache (~> 1.2.0)
+      debugger-ruby_core_source (~> 1.3.5)
+    debugger-linecache (1.2.0)
+    debugger-ruby_core_source (1.3.8)
     deep_merge (1.0.1)
     delayed_job (4.1.2)
       activesupport (>= 3.0, < 5.1)
@@ -173,8 +184,6 @@ GEM
       warden (~> 1.2.3)
     diff-lcs (1.3)
     docile (1.1.5)
-    domain_name (0.5.20180417)
-      unf (>= 0.0.5, < 1.0.0)
     draper (2.1.0)
       actionpack (>= 3.0)
       activemodel (>= 3.0)
@@ -182,14 +191,13 @@ GEM
       request_store (~> 1.0)
     erubis (2.7.0)
     eventmachine (1.0.9.1)
-    exception_notification (4.2.2)
-      actionmailer (>= 4.0, < 6)
-      activesupport (>= 4.0, < 6)
     execjs (2.7.0)
     fabrication (2.16.1)
     faker (1.6.3)
       i18n (~> 0.5)
-    ffi (1.9.18)
+    ffi (1.9.25)
+    font-awesome-rails (4.7.0.4)
+      railties (>= 3.2, < 6.0)
     globalid (0.3.7)
       activesupport (>= 4.1.0)
     globalize (5.0.1)
@@ -202,8 +210,6 @@ GEM
     hirb (0.7.3)
     hpricot (0.8.6)
     htmlentities (4.3.4)
-    http-cookie (1.0.3)
-      domain_name (~> 0.5)
     http_accept_language (2.1.0)
     i18n (0.9.3)
       concurrent-ruby (~> 1.0)
@@ -230,7 +236,8 @@ GEM
     launchy (2.4.3)
       addressable (~> 2.3)
     libv8 (3.16.14.17)
-    loofah (2.0.3)
+    loofah (2.2.3)
+      crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     magiclabs-userstamp (3.0)
       actionpack (>= 4.0)
@@ -245,21 +252,18 @@ GEM
       skinny (~> 0.2.3)
       sqlite3 (~> 1.3)
       thin (~> 1.5.0)
-    mailgun_rails (0.9.0)
-      actionmailer (>= 3.2.13)
-      json (>= 1.7.7)
-      rest-client (>= 1.6.7)
     method_source (0.8.2)
     middleware (0.1.0)
     mime-types (2.6.2)
+    mimemagic (0.3.2)
     mini_magick (4.6.1)
+    mini_mime (1.0.1)
     mini_portile2 (2.3.0)
     minitest (5.10.3)
-    multi_json (1.12.1)
-    mysql2 (0.3.21)
+    multi_json (1.13.1)
+    mysql2 (0.4.9)
     nested_form (0.3.2)
-    netrc (0.11.0)
-    nokogiri (1.8.1)
+    nokogiri (1.8.5)
       mini_portile2 (~> 2.3.0)
     nuggets (1.5.0)
     oat (0.5.0)
@@ -296,9 +300,9 @@ GEM
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
       slop (~> 3.4)
-    pry-byebug (3.6.0)
-      byebug (~> 10.0)
-      pry (~> 0.10)
+    pry-debugger (0.2.3)
+      debugger (~> 1.3)
+      pry (>= 0.9.10, < 0.11.0)
     pry-doc (0.10.0)
       pry (~> 0.9)
       yard (~> 0.9)
@@ -310,10 +314,11 @@ GEM
     pry-stack_explorer (0.4.9.2)
       binding_of_caller (>= 0.7)
       pry (>= 0.9.11)
+    public_suffix (3.0.3)
     quiet_assets (1.1.0)
       railties (>= 3.1, < 5.0)
-    rack (1.6.5)
-    rack-protection (1.5.3)
+    rack (1.6.11)
+    rack-protection (1.5.5)
       rack
     rack-test (0.6.3)
       rack (>= 1.0)
@@ -339,8 +344,8 @@ GEM
       activesupport (>= 3.2)
       choice (~> 0.2.0)
       ruby-graphviz (~> 1.2)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
     rails-i18n (4.0.9)
       i18n (~> 0.7)
       railties (~> 4.0)
@@ -368,10 +373,6 @@ GEM
     request_store (1.3.2)
     responders (2.3.0)
       railties (>= 4.2.0, < 5.1)
-    rest-client (2.0.2)
-      http-cookie (>= 1.0.2, < 2.0)
-      mime-types (>= 1.16, < 4.0)
-      netrc (~> 0.8)
     riddle (2.3.0)
     rspec (3.5.0)
       rspec-core (~> 3.5.0)
@@ -412,7 +413,7 @@ GEM
     ruby-prof (0.16.2)
     ruby-progressbar (1.9.0)
     ruby-rc4 (0.1.5)
-    rubyzip (1.0.0)
+    rubyzip (1.2.2)
     safe_yaml (1.0.4)
     sass (3.4.23)
     sass-rails (5.0.6)
@@ -426,11 +427,9 @@ GEM
       activesupport (>= 3.1)
     seed-fu-ndo (0.0.2)
       seed-fu (>= 2.2.0)
-    selenium-webdriver (2.51.0)
+    selenium-webdriver (3.14.0)
       childprocess (~> 0.5)
-      multi_json (~> 1.0)
-      rubyzip (~> 1.0)
-      websocket (~> 1.0)
+      rubyzip (~> 1.2)
     simplecov (0.15.1)
       docile (~> 1.1.0)
       json (>= 1.8, < 3)
@@ -453,7 +452,7 @@ GEM
       activesupport (>= 4.2)
     spring-commands-rspec (1.0.4)
       spring (>= 0.9.1)
-    sprockets (3.7.1)
+    sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.0)
@@ -487,11 +486,9 @@ GEM
       thread_safe (~> 0.1)
     uglifier (3.1.4)
       execjs (>= 0.3.0, < 3)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.7.5)
     unicode-display_width (1.3.0)
     unicode_utils (1.4.0)
+    uniform_notifier (1.10.0)
     validates_by_schema (0.3.0)
       activerecord (>= 3.1.0)
     validates_timeliness (3.0.15)
@@ -503,10 +500,9 @@ GEM
       seed-fu-ndo (>= 0.0.2)
     warden (1.2.7)
       rack (>= 1.0)
-    websocket (1.2.4)
     wirble (0.1.3)
-    xpath (2.0.0)
-      nokogiri (~> 1.3)
+    xpath (3.1.0)
+      nokogiri (~> 1.8)
     yard (0.9.12)
 
 PLATFORMS
@@ -515,20 +511,21 @@ PLATFORMS
 DEPENDENCIES
   activerecord-session_store
   acts-as-taggable-on (~> 3.5.0)
-  airbrake (< 5.0.0)
+  airbrake (< 5.0)
   annotate
-  awesome_nested_set
+  awesome_nested_set (< 3.1.0)
   awesome_print
-  axlsx (= 2.0.1)
+  axlsx (>= 3.0.0.pre)
   bcrypt-ruby
   binding_of_caller
   bootstrap-sass (~> 2.3)
   bootstrap-wysihtml5-rails (~> 0.3.1.24)
   brakeman
+  bullet
   cancancan (< 1.13.0)
   capybara
   capybara-screenshot
-  carrierwave
+  carrierwave (< 0.11.1)
   chosen-rails
   ci_reporter_rspec
   cmess
@@ -536,52 +533,53 @@ DEPENDENCIES
   coffee-rails
   compass
   compass-rails
-  config
+  config (< 1.1.0)
   country_select
   customized_piwik_analytics (~> 1.0.0)
   daemons
   dalli
   database_cleaner
   delayed_job_active_record
-  devise
+  devise (< 4.0.0)
   draper
-  exception_notification
   fabrication
-  faker
+  faker (< 1.6.4)
+  font-awesome-rails (~> 4.7, >= 4.7.0.1)
   globalize
   haml
   headless
   hirb
-  hitobito_aolv!
+  hitobito_generic!
   http_accept_language
   icalendar
   jquery-cookie-rails
   jquery-rails
   jquery-turbolinks
   jquery-ui-rails
-  kaminari
+  kaminari (< 1.0.0)
   launchy
+  loofah (~> 2.2.3)
   magiclabs-userstamp
   mailcatcher
   mime-types (~> 2.6.2)
   mini_magick
-  mysql2 (~> 0.3.21)
+  mysql2 (= 0.4.9)
   nested_form
   oat
   paper_trail
   parallel_tests
-  paranoia
+  paranoia (< 2.1.2)
   pdf-inspector
-  prawn
+  prawn (< 2.0)
   prawn-table
   protective
-  pry-byebug
+  pry-debugger
   pry-doc
   pry-rails
   pry-remote
   pry-stack_explorer
   quiet_assets
-  rack
+  rack (~> 1.6.11)
   rails (= 4.2.8)
   rails-erd
   rails-i18n
@@ -596,13 +594,14 @@ DEPENDENCIES
   rubocop
   rubocop-checkstyle_formatter
   ruby-prof
-  rubyzip
+  rubyzip (~> 1.2.2)
   sass-rails
   seed-fu
-  selenium-webdriver (= 2.51.0)
+  selenium-webdriver
   simplecov-rcov
   simpleidn
   spring-commands-rspec
+  sprockets (~> 3.7.2)
   sqlite3
   therubyracer
   thinking-sphinx
@@ -615,4 +614,4 @@ DEPENDENCIES
   wirble
 
 BUNDLED WITH
-   1.16.2
+   1.16.0