From f2ce9fa17fbf2edd29bb9e78ffca3b8dd50c5529 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonne=20Ha=C3=9F?= <me@mrzyx.de>
Date: Mon, 11 Feb 2013 20:51:02 +0100
Subject: [PATCH] * Fix CVE-2013-0269 by updating the gems json to 1.7.7 and
multi\_json to 1.5.1. [Read
more](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58)
* Additionally ensure can't affect us by bumping Rails to 3.2.12. [Read
more](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/AFBKNY7VSH8)
* And exclude CVE-2013-0262 and CVE-2013-0263 by updating rack to 1.4.5.
---
Changelog.md | 6 +++++
Gemfile | 4 +--
Gemfile.lock | 64 ++++++++++++++++++++++-----------------------
config/defaults.yml | 2 +-
4 files changed, 41 insertions(+), 35 deletions(-)
diff --git a/Changelog.md b/Changelog.md
index d4f9a5727d..8562eed194 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,9 @@
+# 0.0.2.5
+
+* Fix CVE-2013-0269 by updating the gems json to 1.7.7 and multi\_json to 1.5.1. [Read more](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58)
+* Additionally ensure can't affect us by bumping Rails to 3.2.12. [Read more](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/AFBKNY7VSH8)
+* And exclude CVE-2013-0262 and CVE-2013-0263 by updating rack to 1.4.5.
+
# 0.0.2.4
* Fix XSS vulnerabilities caused by not escaping a users name fields when loading it from JSON. [#3948](https://github.com/diaspora/diaspora/issues/3948)
diff --git a/Gemfile b/Gemfile
index 040b71f87f..1a9f6bc44c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,6 +1,6 @@
source 'http://rubygems.org'
-gem 'rails', '3.2.11'
+gem 'rails', '3.2.12'
gem 'foreman', '0.60.2'
@@ -63,7 +63,7 @@ gem 'mini_magick', '3.4'
# JSON and API
-gem 'json', '1.7.5'
+gem 'json', '1.7.7'
gem 'acts_as_api', '0.4.1 '
# localization
diff --git a/Gemfile.lock b/Gemfile.lock
index a981e70bcc..d182224e1a 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -17,34 +17,34 @@ GIT
GEM
remote: http://rubygems.org/
specs:
- actionmailer (3.2.11)
- actionpack (= 3.2.11)
+ actionmailer (3.2.12)
+ actionpack (= 3.2.12)
mail (~> 2.4.4)
- actionpack (3.2.11)
- activemodel (= 3.2.11)
- activesupport (= 3.2.11)
+ actionpack (3.2.12)
+ activemodel (= 3.2.12)
+ activesupport (= 3.2.12)
builder (~> 3.0.0)
erubis (~> 2.7.0)
journey (~> 1.0.4)
- rack (~> 1.4.0)
+ rack (~> 1.4.5)
rack-cache (~> 1.2)
rack-test (~> 0.6.1)
sprockets (~> 2.2.1)
- activemodel (3.2.11)
- activesupport (= 3.2.11)
+ activemodel (3.2.12)
+ activesupport (= 3.2.12)
builder (~> 3.0.0)
- activerecord (3.2.11)
- activemodel (= 3.2.11)
- activesupport (= 3.2.11)
+ activerecord (3.2.12)
+ activemodel (= 3.2.12)
+ activesupport (= 3.2.12)
arel (~> 3.0.2)
tzinfo (~> 0.3.29)
activerecord-import (0.2.11)
activerecord (~> 3.0)
activerecord (~> 3.0)
- activeresource (3.2.11)
- activemodel (= 3.2.11)
- activesupport (= 3.2.11)
- activesupport (3.2.11)
+ activeresource (3.2.12)
+ activemodel (= 3.2.12)
+ activesupport (= 3.2.12)
+ activesupport (3.2.12)
i18n (~> 0.6)
multi_json (~> 1.0)
acts-as-taggable-on (2.3.3)
@@ -208,7 +208,7 @@ GEM
jquery-rails
railties (>= 3.1.0)
jruby-pageant (1.1.1)
- json (1.7.5)
+ json (1.7.7)
jwt (0.1.5)
multi_json (>= 1.0)
kaminari (0.14.1)
@@ -225,13 +225,13 @@ GEM
treetop (~> 1.4.8)
messagebus_ruby_api (1.0.3)
method_source (0.8.1)
- mime-types (1.19)
+ mime-types (1.21)
mini_magick (3.4)
subexec (~> 0.2.1)
mobile-fu (1.1.0)
rack-mobile-detect
rails
- multi_json (1.5.0)
+ multi_json (1.5.1)
multipart-post (1.1.5)
mysql2 (0.3.11)
nested_form (0.2.3)
@@ -273,7 +273,7 @@ GEM
coderay (~> 1.0.5)
method_source (~> 0.8)
slop (~> 3.3.1)
- rack (1.4.4)
+ rack (1.4.5)
rack-cache (1.2)
rack (>= 0.4)
rack-cors (0.2.7)
@@ -292,14 +292,14 @@ GEM
rack
rack-test (0.6.2)
rack (>= 1.0)
- rails (3.2.11)
- actionmailer (= 3.2.11)
- actionpack (= 3.2.11)
- activerecord (= 3.2.11)
- activeresource (= 3.2.11)
- activesupport (= 3.2.11)
+ rails (3.2.12)
+ actionmailer (= 3.2.12)
+ actionpack (= 3.2.12)
+ activerecord (= 3.2.12)
+ activeresource (= 3.2.12)
+ activesupport (= 3.2.12)
bundler (~> 1.0)
- railties (= 3.2.11)
+ railties (= 3.2.12)
rails-i18n (0.7.0)
i18n (~> 0.5)
rails_admin (0.2.0)
@@ -318,9 +318,9 @@ GEM
sass-rails (~> 3.1)
rails_autolink (1.0.9)
rails (~> 3.1)
- railties (3.2.11)
- actionpack (= 3.2.11)
- activesupport (= 3.2.11)
+ railties (3.2.12)
+ actionpack (= 3.2.12)
+ activesupport (= 3.2.12)
rack-ssl (~> 1.3.2)
rake (>= 0.8.7)
rdoc (~> 3.4)
@@ -330,7 +330,7 @@ GEM
rb-fsevent (0.9.2)
rb-inotify (0.8.8)
ffi (>= 0.5.0)
- rdoc (3.12)
+ rdoc (3.12.1)
json (~> 1.4)
redcarpet (2.2.2)
redis (3.0.2)
@@ -456,7 +456,7 @@ DEPENDENCIES
i18n-inflector-rails (~> 1.0)
jasmine (= 1.2.1)
jquery-rails (= 2.1.3)
- json (= 1.7.5)
+ json (= 1.7.7)
markerb!
messagebus_ruby_api (= 1.0.3)
mini_magick (= 3.4)
@@ -473,7 +473,7 @@ DEPENDENCIES
rack-protection (= 1.2)
rack-rewrite (= 1.3.1)
rack-ssl (= 1.3.2)
- rails (= 3.2.11)
+ rails (= 3.2.12)
rails-i18n (= 0.7.0)
rails_admin (= 0.2.0)
rails_autolink (= 1.0.9)
diff --git a/config/defaults.yml b/config/defaults.yml
index 08acbc3318..8eadddfc71 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -4,7 +4,7 @@
defaults:
version:
- number: "0.0.2.4"
+ number: "0.0.2.5"
release: true # Do not touch unless in a merge conflict on doing a release, master should have a commit setting this to true which is not backported to the develop branch.
heroku: false
environment:
--
GitLab