Update vulnerable Rubocop once update available (CVE-2017-8418)

[david-a-wheeler]

There is a security alert for rubocop; details below. It's a /tmp vulnerability; "Malicious local users could exploit this to tamper with cache files belonging to other users."

Nobody should have untrusted (other) local users on the machines with direct commit rights anyway, so I'm documenting that as a constraint in security.md, and we'll update when an update is available. So this should not affect us.

Here are the details:

 Gems_big Alerts for rubocop
Security alert open on May 29, 2017 08:39
CVE-2017-8418 - Insecure use of /tmp
RuboCop uses /tmp to store cache files insecurely.
Malicious local users could exploit this to tamper with cache files belonging to other users.

    Fixed versions: 0.49.1
    Identifier: CVE-2017-8418
    Solution: There is no solution for this vulnerability at the moment.
    Credit: Jakub Wilk
    Sources: https://github.com/bbatsov/rubocop/issues/4336
    https://github.com/bbatsov/rubocop/commit/dcb258fabd5f2624c1ea0e1634763094590c09d7 

[dankohn]

We're also waiting for a new RuboCop to fix this non-security issue: rubocop/rubocop#4412 (comment)

[david-a-wheeler]

Jason - thanks. Now if we could only get the mail gem to work that quickly.