Upgrade mail and nokogiri gems due to security issues

b2178c1d · Markus Koller · Robert Speicher · 3cc6e4c6 · b2178c1d · b2178c1d
Commit b2178c1d authored Aug 31, 2017 by Markus Koller Committed by Robert Speicher Aug 31, 2017
4 changed files
--- a/Gemfile
+++ b/Gemfile
@@ -27,7 +27,7 @@ gem 'doorkeeper-openid_connect', '~> 1.1.0'
 gem 'omniauth', '~> 1.4.2'
 gem 'omniauth-auth0', '~> 1.4.1'
 gem 'omniauth-azure-oauth2', '~> 0.0.6'
-gem 'omniauth-cas3', '~> 1.1.2'
+gem 'omniauth-cas3', '~> 1.1.4'
 gem 'omniauth-facebook', '~> 4.0.0'
 gem 'omniauth-github', '~> 1.1.1'
 gem 'omniauth-gitlab', '~> 1.0.2'
@@ -126,12 +126,9 @@ gem 'wikicloth', '0.8.1'
 gem 'asciidoctor', '~> 1.5.2'
 gem 'asciidoctor-plantuml', '0.0.7'
 gem 'rouge', '~> 2.0'
-gem 'truncato', '~> 0.7.8'
+gem 'truncato', '~> 0.7.9'
 gem 'bootstrap_form', '~> 2.7.0'
-
-# See https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
-# and https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
-gem 'nokogiri', '~> 1.6.7', '>= 1.6.7.2'
+gem 'nokogiri', '~> 1.8.0'

 # Diffs
 gem 'diffy', '~> 3.1.0'
@@ -245,7 +242,7 @@ gem 'uglifier', '~> 2.7.2'
 gem 'addressable', '~> 2.3.8'
 gem 'bootstrap-sass', '~> 3.3.0'
 gem 'font-awesome-rails', '~> 4.7'
-gem 'gemojione', '~> 3.0'
+gem 'gemojione', '~> 3.3'
 gem 'gon', '~> 6.1.0'
 gem 'jquery-atwho-rails', '~> 1.3.2'
 gem 'jquery-rails', '~> 4.1.0'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -261,7 +261,7 @@ GEM
      ruby-progressbar (~> 1.4)
    gemnasium-gitlab-service (0.2.6)
      rugged (~> 0.21)
-    gemojione (3.0.1)
+    gemojione (3.3.0)
      json
    get_process_mem (0.2.0)
    gettext (3.2.2)
@@ -283,7 +283,7 @@ GEM
      escape_utils (~> 1.1.0)
      mime-types (>= 1.19)
      rugged (>= 0.23.0b)
-    github-markup (1.4.0)
+    github-markup (1.6.1)
    gitlab-flowdock-git-hook (1.0.1)
      flowdock (~> 0.7)
      gitlab-grit (>= 2.4.1)
@@ -303,13 +303,14 @@ GEM
      activesupport (>= 4.1.0)
    gollum-grit_adapter (1.0.1)
      gitlab-grit (~> 2.7, >= 2.7.1)
-    gollum-lib (4.2.1)
-      github-markup (~> 1.4.0)
+    gollum-lib (4.2.7)
+      gemojione (~> 3.2)
+      github-markup (~> 1.6)
      gollum-grit_adapter (~> 1.0)
-      nokogiri (~> 1.6.4)
-      rouge (~> 2.0)
-      sanitize (~> 2.1.0)
-      stringex (~> 2.5.1)
+      nokogiri (>= 1.6.1, < 2.0)
+      rouge (~> 2.1)
+      sanitize (~> 2.1)
+      stringex (~> 2.6)
    gollum-rugged_adapter (0.4.4)
      mime-types (>= 1.15)
      rugged (~> 0.25)
@@ -468,7 +469,7 @@ GEM
      railties (>= 4, < 5.2)
    loofah (2.0.3)
      nokogiri (>= 1.5.9)
-    mail (2.6.5)
+    mail (2.6.6)
      mime-types (>= 1.16, < 4)
    mail_room (0.9.1)
    memoist (0.15.0)
@@ -477,7 +478,7 @@ GEM
    method_source (0.8.2)
    mime-types (2.99.3)
    mimemagic (0.3.0)
-    mini_portile2 (2.1.0)
+    mini_portile2 (2.2.0)
    minitest (5.7.0)
    mmap2 (2.2.7)
    mousetrap-rails (1.4.6)
@@ -491,8 +492,8 @@ GEM
    net-ldap (0.16.0)
    net-ssh (4.1.0)
    netrc (0.11.0)
-    nokogiri (1.6.8.1)
-      mini_portile2 (~> 2.1.0)
+    nokogiri (1.8.0)
+      mini_portile2 (~> 2.2.0)
    numerizer (0.1.1)
    oauth (0.5.1)
    oauth2 (1.4.0)
@@ -515,9 +516,9 @@ GEM
      jwt (~> 1.0)
      omniauth (~> 1.0)
      omniauth-oauth2 (~> 1.1)
-    omniauth-cas3 (1.1.3)
+    omniauth-cas3 (1.1.4)
      addressable (~> 2.3)
-      nokogiri (~> 1.6.6)
+      nokogiri (~> 1.7, >= 1.7.1)
      omniauth (~> 1.2)
    omniauth-facebook (4.0.0)
      omniauth-oauth2 (~> 1.2)
@@ -605,7 +606,7 @@ GEM
      cliver (~> 0.3.1)
      multi_json (~> 1.0)
      websocket-driver (>= 0.2.0)
-    posix-spawn (0.3.11)
+    posix-spawn (0.3.13)
    powerpack (0.1.1)
    premailer (1.10.4)
      addressable
@@ -871,7 +872,7 @@ GEM
    state_machines-activerecord (0.4.0)
      activerecord (>= 4.1, < 5.1)
      state_machines-activemodel (>= 0.3.0)
-    stringex (2.5.2)
+    stringex (2.7.1)
    sys-filesystem (1.1.6)
      ffi
    sysexits (1.2.0)
@@ -890,9 +891,9 @@ GEM
    timfel-krb5-auth (0.8.3)
    toml-rb (0.3.15)
      citrus (~> 3.0, > 3.0)
-    truncato (0.7.8)
+    truncato (0.7.10)
      htmlentities (~> 4.3.1)
-      nokogiri (~> 1.6.1)
+      nokogiri (~> 1.8.0, >= 1.7.0)
    tzinfo (1.2.3)
      thread_safe (~> 0.1)
    u2f (0.2.1)
@@ -1014,7 +1015,7 @@ DEPENDENCIES
  foreman (~> 0.78.0)
  fuubar (~> 2.2.0)
  gemnasium-gitlab-service (~> 0.2)
-  gemojione (~> 3.0)
+  gemojione (~> 3.3)
  gettext (~> 3.2.2)
  gettext_i18n_rails (~> 1.8.0)
  gettext_i18n_rails_js (~> 1.2.0)
@@ -1060,7 +1061,7 @@ DEPENDENCIES
  mysql2 (~> 0.4.5)
  net-ldap
  net-ssh (~> 4.1.0)
-  nokogiri (~> 1.6.7, >= 1.6.7.2)
+  nokogiri (~> 1.8.0)
  oauth2 (~> 1.4)
  octokit (~> 4.6.2)
  oj (~> 2.17.4)
@@ -1068,7 +1069,7 @@ DEPENDENCIES
  omniauth-auth0 (~> 1.4.1)
  omniauth-authentiq (~> 0.3.1)
  omniauth-azure-oauth2 (~> 0.0.6)
-  omniauth-cas3 (~> 1.1.2)
+  omniauth-cas3 (~> 1.1.4)
  omniauth-facebook (~> 4.0.0)
  omniauth-github (~> 1.1.1)
  omniauth-gitlab (~> 1.0.2)
@@ -1159,7 +1160,7 @@ DEPENDENCIES
  thin (~> 1.7.0)
  timecop (~> 0.8.0)
  toml-rb (~> 0.3.15)
-  truncato (~> 0.7.8)
+  truncato (~> 0.7.9)
  u2f (~> 0.2.1)
  uglifier (~> 2.7.2)
  unf (~> 0.1.4)

--- a/changelogs/unreleased/fix-gem-security-updates.yml
+++ b/changelogs/unreleased/fix-gem-security-updates.yml
+---
+title: Upgrade mail and nokogiri gems due to security issues
+merge_request: 13662
+author: Markus Koller
+type: security
--- a/scripts/static-analysis
+++ b/scripts/static-analysis
@@ -3,7 +3,7 @@
 require ::File.expand_path('../lib/gitlab/popen', __dir__)

 tasks = [
-  %w[bundle exec bundle-audit check --update --ignore CVE-2016-4658 CVE-2017-5029],
+  %w[bundle exec bundle-audit check --update],
  %w[bundle exec rake config_lint],
  %w[bundle exec rake flay],
  %w[bundle exec rake haml_lint],