Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade OpenSSL, RubyGems, and Rails to address multiple CVEs #1798

Merged
merged 3 commits into from
Mar 14, 2019
Merged

upgrade OpenSSL, RubyGems, and Rails to address multiple CVEs #1798

merged 3 commits into from
Mar 14, 2019

Conversation

robbkidd
Copy link
Contributor

@robbkidd robbkidd commented Mar 14, 2019
edited
Loading

Description

Updated omnibus and omnibus software to:

  • Upgrade OpenSSL to quiet vulnerability scanners about CVE-2019-1559
  • Upgrade RubyGems to quiet vulnerability scanners about multiple vulnerabilities
    • CVE-2019-8320: Delete directory using symlink when decompressing tar
    • CVE-2019-8321: Escape sequence injection vulnerability in verbose
    • CVE-2019-8322: Escape sequence injection vulnerability in gem owner
    • CVE-2019-8323: Escape sequence injection vulnerability in API response handling
    • CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
    • CVE-2019-8325: Escape sequence injection vulnerability in errors

Updated Rails in the web application to address:

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@robbkidd
update omnibus and omnibus-software to get new OpenSSL
338fe4f 
Signed-off-by: Robb Kidd <rkidd@chef.io>
@robbkidd
remove the pin for rubygems
4837842 
Issues with bundling in omnibus builds appear to be resolved now.

Signed-off-by: Robb Kidd <rkidd@chef.io>
@robbkidd
upgrade Rails to 5.0.7.2
a8390b0 
Addresses CVE-2019-5418[1] and CVE-2019-5419[2]

[1] https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
[2] https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI

Signed-off-by: Robb Kidd <rkidd@chef.io>
@robbkidd robbkidd requested a review from a team March 14, 2019 17:26
@robbkidd robbkidd added the Aspect: Security Can an unwanted third party affect the stability or look at privileged information? label Mar 14, 2019
@robbkidd robbkidd changed the title upgrade OpenSSL, RubyGems, and Rails upgrade OpenSSL, RubyGems, and Rails to address multiple CVEs Mar 14, 2019
@robbkidd robbkidd merged commit f98a91d into master Mar 14, 2019
@chef-ci chef-ci deleted the robb/upgrade-openssl branch March 14, 2019 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tyler-ball tyler-ball tyler-ball approved these changes

Assignees
No one assigned
Labels
Aspect: Security Can an unwanted third party affect the stability or look at privileged information?
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@robbkidd @tyler-ball