From eded08152273cf3eacac1002d41463d97de2e8de Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Mon, 19 Nov 2018 12:20:44 -0800 Subject: [PATCH] Bump nokogiri, loofah, and rack gems for security updates loofah: CVE-2018-16468: https://github.com/flavorjones/loofah/issues/154 nokogiri: CVE-2018-14404 and CVE-2018-14567 https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md rack: CVE-2018-16471 https://github.com/rack/rack/commit/e5d58031b766e49687157b45edab1b8457d972bd i18n: https://github.com/svenfuchs/i18n/releases concurrent-ruby: https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md --- Gemfile | 2 +- Gemfile.lock | 18 +++++++++--------- Gemfile.rails4.lock | 12 ++++++------ .../unreleased/sh-bump-gems-security.yml | 5 +++++ 4 files changed, 21 insertions(+), 16 deletions(-) create mode 100644 changelogs/unreleased/sh-bump-gems-security.yml diff --git a/Gemfile b/Gemfile index 73c0779e8e5f..2c0eb0cbce4a 100644 --- a/Gemfile +++ b/Gemfile @@ -389,7 +389,7 @@ group :test do gem 'rails-controller-testing' if rails5? # Rails5 only gem. gem 'test_after_commit', '~> 1.1' unless rails5? # Remove this gem when migrated to rails 5.0. It's been integrated to rails 5.0. gem 'sham_rack', '~> 1.3.6' - gem 'concurrent-ruby', '~> 1.0.5' + gem 'concurrent-ruby', '~> 1.1' gem 'test-prof', '~> 0.2.5' gem 'rspec_junit_formatter' end diff --git a/Gemfile.lock b/Gemfile.lock index 975243f31d56..24c1b2a0cef8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -128,9 +128,9 @@ GEM concord (0.1.5) adamantium (~> 0.2.0) equalizer (~> 0.0.9) - concurrent-ruby (1.0.5) - concurrent-ruby-ext (1.0.5) - concurrent-ruby (= 1.0.5) + concurrent-ruby (1.1.3) + concurrent-ruby-ext (1.1.3) + concurrent-ruby (= 1.1.3) connection_pool (2.2.2) crack (0.4.3) safe_yaml (~> 1.0.0) @@ -379,7 +379,7 @@ GEM json (~> 1.8) multi_xml (>= 0.5.2) httpclient (2.8.3) - i18n (1.1.0) + i18n (1.1.1) concurrent-ruby (~> 1.0) icalendar (2.4.1) ice_nine (0.11.2) @@ -444,7 +444,7 @@ GEM activesupport (>= 4) railties (>= 4) request_store (~> 1.0) - loofah (2.2.2) + loofah (2.2.3) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.0) @@ -453,7 +453,7 @@ GEM memoist (0.16.0) memoizable (0.4.2) thread_safe (~> 0.3, >= 0.3.1) - method_source (0.9.0) + method_source (0.9.2) mime-types (3.2.2) mime-types-data (~> 3.2015) mime-types-data (3.2018.0812) @@ -475,7 +475,7 @@ GEM net-ssh (5.0.1) netrc (0.11.0) nio4r (2.3.1) - nokogiri (1.8.4) + nokogiri (1.8.5) mini_portile2 (~> 2.3.0) nokogumbo (1.5.0) nokogiri @@ -603,7 +603,7 @@ GEM get_process_mem (~> 0.2) puma (>= 2.7, < 4) pyu-ruby-sasl (0.0.3.3) - rack (2.0.5) + rack (2.0.6) rack-accept (0.4.5) rack (>= 0.4) rack-attack (4.4.1) @@ -967,7 +967,7 @@ DEPENDENCIES chronic (~> 0.10.2) chronic_duration (~> 0.10.6) commonmarker (~> 0.17) - concurrent-ruby (~> 1.0.5) + concurrent-ruby (~> 1.1) connection_pool (~> 2.0) creole (~> 0.5.0) database_cleaner (~> 1.5.0) diff --git a/Gemfile.rails4.lock b/Gemfile.rails4.lock index 657975da2a46..0eacf91cf436 100644 --- a/Gemfile.rails4.lock +++ b/Gemfile.rails4.lock @@ -125,9 +125,9 @@ GEM concord (0.1.5) adamantium (~> 0.2.0) equalizer (~> 0.0.9) - concurrent-ruby (1.0.5) - concurrent-ruby-ext (1.0.5) - concurrent-ruby (= 1.0.5) + concurrent-ruby (1.1.3) + concurrent-ruby-ext (1.1.3) + concurrent-ruby (= 1.1.3) connection_pool (2.2.2) crack (0.4.3) safe_yaml (~> 1.0.0) @@ -441,7 +441,7 @@ GEM activesupport (>= 4) railties (>= 4) request_store (~> 1.0) - loofah (2.2.2) + loofah (2.2.3) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.0) @@ -471,7 +471,7 @@ GEM net-ldap (0.16.0) net-ssh (5.0.1) netrc (0.11.0) - nokogiri (1.8.4) + nokogiri (1.8.5) mini_portile2 (~> 2.3.0) nokogumbo (1.5.0) nokogiri @@ -958,7 +958,7 @@ DEPENDENCIES chronic (~> 0.10.2) chronic_duration (~> 0.10.6) commonmarker (~> 0.17) - concurrent-ruby (~> 1.0.5) + concurrent-ruby (~> 1.1) connection_pool (~> 2.0) creole (~> 0.5.0) database_cleaner (~> 1.5.0) diff --git a/changelogs/unreleased/sh-bump-gems-security.yml b/changelogs/unreleased/sh-bump-gems-security.yml new file mode 100644 index 000000000000..06489f6f9797 --- /dev/null +++ b/changelogs/unreleased/sh-bump-gems-security.yml @@ -0,0 +1,5 @@ +--- +title: Bump nokogiri, loofah, and rack gems for security updates +merge_request: 23204 +author: +type: security