From abed0d644507b1b6868ee8379660029c651b71f0 Mon Sep 17 00:00:00 2001
From: Victor Koronen <koronen@kth.se>
Date: Sun, 24 Jan 2016 10:23:38 +0100
Subject: [PATCH] Update vulnerable gems

Updates four vulnerable gems, as reported by the `bundler-audit` gem.

- [X] activesupport
- [X] nokogiri
- [X] rack
- [X] rest-client

    $ bundle-audit check
    Name: activesupport
    Version: 4.0.13
    Advisory: CVE-2015-3227
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
    Title: Possible Denial of Service attack in Active Support
    Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-5312
    Criticality: High
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
    Title: Nokogiri gem contains several vulnerabilities in libxml2
    Solution: upgrade to >= 1.6.7.1

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-7499
    Criticality: Medium
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
    Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in
           libxml2
    Solution: upgrade to >= 1.6.7.2

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-1819
    Criticality: Unknown
    URL: https://github.com/sparklemotion/nokogiri/issues/1374
    Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
    Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

    Name: nokogiri
    Version: 1.6.1
    Advisory: 118481
    Criticality: Unknown
    URL: https://github.com/sparklemotion/nokogiri/pull/1087
    Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory
           Consumption
    Remote DoS
    Solution: upgrade to >= 1.6.3

    Name: rack
    Version: 1.5.2
    Advisory: CVE-2015-3225
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
    Title: Potential Denial of Service Vulnerability in Rack
    Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6

    Name: rest-client
    Version: 1.6.7
    Advisory: CVE-2015-1820
    Criticality: Unknown
    URL: https://github.com/rest-client/rest-client/issues/369
    Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie
           headers in 30x redirection responses
    Solution: upgrade to >= 1.8.0

    Name: rest-client
    Version: 1.6.7
    Advisory: CVE-2015-3448
    Criticality: Unknown
    URL: http://www.osvdb.org/show/osvdb/117461
    Title: Rest-Client Gem for Ruby logs password information in plaintext
    Solution: upgrade to >= 1.7.3

    Vulnerabilities found!
---
 Gemfile      | 10 +++----
 Gemfile.lock | 80 +++++++++++++++++++++++++++++-----------------------
 2 files changed, 50 insertions(+), 40 deletions(-)

diff --git a/Gemfile b/Gemfile
index b7546e9db..e4106a956 100644
--- a/Gemfile
+++ b/Gemfile
@@ -23,16 +23,16 @@ group :development, :test do
   gem "timecop", "~> 0.7.1"
 end
 
-gem "activerecord", "~> 4.0"
-gem "arel", "~> 4.0.2"
+gem "activerecord", "~> 4.1"
+gem "arel", "~> 5.0"
 gem "bcrypt-ruby", "~> 3.1.2"
-gem "delayed_job", "~> 4.0"
-gem "delayed_job_active_record", "~> 4.0"
+gem "delayed_job", "~> 4.1"
+gem "delayed_job_active_record", "~> 4.1"
 gem "feedbag", "~> 0.9.2"
 gem "feedjira", "~> 1.3.0"
 gem "i18n", "~> 0.6.9"
 gem "loofah", "~> 2.0.0"
-gem "nokogiri", "~> 1.6"
+gem "nokogiri", "~> 1.6", ">= 1.6.7.2"
 gem "rack-ssl", "~> 1.4.1"
 gem "racksh", "~> 1.0"
 gem "rake", "~> 10.1", ">= 10.1.1"
diff --git a/Gemfile.lock b/Gemfile.lock
index c1f0ed65b..5314fa0d8 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,28 +1,26 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (4.0.13)
-      activesupport (= 4.0.13)
-      builder (~> 3.1.0)
-    activerecord (4.0.13)
-      activemodel (= 4.0.13)
-      activerecord-deprecated_finders (~> 1.0.2)
-      activesupport (= 4.0.13)
-      arel (~> 4.0.0)
-    activerecord-deprecated_finders (1.0.3)
-    activesupport (4.0.13)
+    activemodel (4.1.14)
+      activesupport (= 4.1.14)
+      builder (~> 3.1)
+    activerecord (4.1.14)
+      activemodel (= 4.1.14)
+      activesupport (= 4.1.14)
+      arel (~> 5.0.0)
+    activesupport (4.1.14)
       i18n (~> 0.6, >= 0.6.9)
-      minitest (~> 4.2)
-      multi_json (~> 1.3)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
       thread_safe (~> 0.1)
-      tzinfo (~> 0.3.37)
-    arel (4.0.2)
+      tzinfo (~> 1.1)
+    arel (5.0.1.20140414130214)
     ast (2.1.0)
     astrolabe (1.3.1)
       parser (~> 2.2)
     backports (3.6.1)
     bcrypt-ruby (3.1.2)
-    builder (3.1.4)
+    builder (3.2.2)
     byebug (2.5.0)
       columnize (~> 0.3.6)
       debugger-linecache (~> 1.2.0)
@@ -42,13 +40,15 @@ GEM
       thor
     curb (0.8.6)
     debugger-linecache (1.2.0)
-    delayed_job (4.0.0)
-      activesupport (>= 3.0, < 4.1)
-    delayed_job_active_record (4.0.0)
-      activerecord (>= 3.0, < 4.1)
-      delayed_job (>= 3.0, < 4.1)
+    delayed_job (4.1.1)
+      activesupport (>= 3.0, < 5.0)
+    delayed_job_active_record (4.1.0)
+      activerecord (>= 3.0, < 5)
+      delayed_job (>= 3.0, < 5)
     diff-lcs (1.2.5)
     docile (1.1.1)
+    domain_name (0.5.25)
+      unf (>= 0.0.5, < 1.0.0)
     faker (1.2.0)
       i18n (~> 0.5)
     feedbag (0.9.2)
@@ -58,18 +58,22 @@ GEM
       loofah (~> 2.0.0)
       sax-machine (~> 0.2.1)
     hpricot (0.8.6)
+    http-cookie (1.0.2)
+      domain_name (~> 0.5)
     i18n (0.6.11)
     jsmin (1.0.1)
+    json (1.8.3)
     kgio (2.9.3)
     loofah (2.0.0)
       nokogiri (>= 1.5.9)
     method_source (0.8.2)
-    mime-types (2.0)
-    mini_portile (0.5.2)
-    minitest (4.7.5)
-    multi_json (1.11.0)
-    nokogiri (1.6.1)
-      mini_portile (~> 0.5.0)
+    mime-types (2.99)
+    mini_portile2 (2.0.0)
+    minitest (5.8.4)
+    multi_json (1.11.2)
+    netrc (0.11.0)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
     parser (2.2.3.0)
       ast (>= 1.1, < 3.0)
     pg (0.17.1)
@@ -81,7 +85,7 @@ GEM
     pry-byebug (1.2.0)
       byebug (~> 2.2)
       pry (~> 0.9.12)
-    rack (1.5.2)
+    rack (1.6.4)
     rack-protection (1.5.3)
       rack
     rack-ssl (1.4.1)
@@ -94,8 +98,10 @@ GEM
     rainbow (2.0.0)
     raindrops (0.13.0)
     rake (10.1.1)
-    rest-client (1.6.7)
-      mime-types (>= 1.16)
+    rest-client (1.8.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 3.0)
+      netrc (~> 0.7)
     rspec (2.14.1)
       rspec-core (~> 2.14.0)
       rspec-expectations (~> 2.14.0)
@@ -155,7 +161,11 @@ GEM
     tilt (1.4.1)
     timecop (0.7.1)
     tins (0.13.1)
-    tzinfo (0.3.43)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.1)
     unicorn (4.7.0)
       kgio (~> 2.6)
       rack
@@ -168,19 +178,19 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  activerecord (~> 4.0)
-  arel (~> 4.0.2)
+  activerecord (~> 4.1)
+  arel (~> 5.0)
   bcrypt-ruby (~> 3.1.2)
   capybara (~> 2.4.1)
   coveralls (~> 0.7)
-  delayed_job (~> 4.0)
-  delayed_job_active_record (~> 4.0)
+  delayed_job (~> 4.1)
+  delayed_job_active_record (~> 4.1)
   faker (~> 1.2)
   feedbag (~> 0.9.2)
   feedjira (~> 1.3.0)
   i18n (~> 0.6.9)
   loofah (~> 2.0.0)
-  nokogiri (~> 1.6)
+  nokogiri (~> 1.6, >= 1.6.7.2)
   pg (~> 0.17.1)
   pry-byebug (~> 1.2)
   rack-protection (~> 1.5.3)