[Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0 #67

dependabot-preview · 2019-10-01T18:51:09Z

Updates the requirements on rubyzip to permit the latest version.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Denial of Service in rubyzip ("zip bombs")
In Rubyzip before 1.3.0, a crafted ZIP file can bypass application
checks on ZIP entry sizes because data about the uncompressed size
can be spoofed. This allows attackers to cause a denial of service
(disk consumption).

Patched versions: >= 1.3.0
Unaffected versions: none

Release notes

Sourced from rubyzip's releases.

v2.0.0

Security

Default the validate_entry_sizes option to true, so that callers can trust an entry's reported size when using extract #403

This option defaulted to false in 1.3.0 for backward compatibility, but it now defaults to true. If you are using an older version of ruby and can't yet upgrade to 2.x, you can still use 1.3.0 and set the option to true.

Tooling / Documentation

Remove test files from the gem to avoid problems with antivirus detections on the test files #405 / #384

Drop support for unsupported ruby versions #406

v1.3.0

Security

Add validate_entry_sizes option so that callers can trust an entry's reported size when using extract #403

This option defaults to false for backward compatibility in this release, but you are strongly encouraged to set it to true. It will default to true in rubyzip 2.0.

New Feature

Add add_stored method to simplify adding entries without compression #366

Tooling / Documentation

Add more gem metadata links #402

v1.2.4

Do not rewrite zip files opened with open_buffer that have not changed #360

Tooling / Documentation

Update example_recursive.rb in README #397

Hold CI at trusty for now, automatically pick the latest ruby patch version, use rbx-4 and hold jruby at 9.1 #399

Changelog

Sourced from rubyzip's changelog.

2.0.0 (2019-09-25)

Security

Default the validate_entry_sizes option to true, so that callers can trust an entry's reported size when using extract #403

This option defaulted to false in 1.3.0 for backward compatibility, but it now defaults to true. If you are using an older version of ruby and can't yet upgrade to 2.x, you can still use 1.3.0 and set the option to true.

Tooling / Documentation

Remove test files from the gem to avoid problems with antivirus detections on the test files #405 / #384

Drop support for unsupported ruby versions #406

1.3.0 (2019-09-25)

Security

Add validate_entry_sizes option so that callers can trust an entry's reported size when using extract #403

This option defaults to false for backward compatibility in this release, but you are strongly encouraged to set it to true. It will default to true in rubyzip 2.0.

New Feature

Add add_stored method to simplify adding entries without compression #366

Tooling / Documentation

Add more gem metadata links #402

1.2.4 (2019-09-06)

Do not rewrite zip files opened with open_buffer that have not changed #360

Tooling / Documentation

Update example_recursive.rb in README #397

Hold CI at trusty for now, automatically pick the latest ruby patch version, use rbx-4 and hold jruby at 9.1 #399

Commits

2825898 Merge pull request #408 from rubyzip/v2-0-0
cb407b1 Bump version to 2.0.0
e1d9af6 Merge pull request #406 from rubyzip/bump-supported-ruby
3641a96 Merge pull request #405 from rubyzip/remove-test-files
e79d9ea Merge pull request #407 from rubyzip/v1-3-0
7c65e1e Bump version to 1.3.0
d65fe7b Merge pull request #403 from rubyzip/check-size
35446f4 Drop old ruby and JDK versions from CI
74d4bec Remove test files from gem
97cb6ae Warn when an entry size is invalid
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
@dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

Update frequency (including time of day and day of week)
Pull request limits (per update run and/or open at any time)
Automerge options (never/patch/minor, and dev/runtime dependencies)
Out-of-range updates (receive only lockfile updates, if desired)
Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

Updates the requirements on [rubyzip](https://github.com/rubyzip/rubyzip) to permit the latest version. - [Release notes](https://github.com/rubyzip/rubyzip/releases) - [Changelog](https://github.com/rubyzip/rubyzip/blob/master/Changelog.md) - [Commits](rubyzip/rubyzip@v1.2.3...v2.0.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

…s ruby 2.4

* Fixed SDC loading to work with newer DRC measures. And cherry-pick work from master. (#39) * Fixed SDC loading to work with newer DRC measures. - Fixed issues with most data criteria getting thrown out. * Bring over dependabot nokogiri update and the simplexml_parser removal from #30. [Security] Update nokogiri requirement from ~> 1.8.5 to >= 1.8.5, < 1.11.0 Updates the requirements on [nokogiri](https://github.com/sparklemotion/nokogiri) to permit the latest version. - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md) - [Commits](sparklemotion/nokogiri@v1.8.5...v1.10.3) * Add the hqmf identifier to a statement reference (#25) * Port ratio/proportional cv fix from hds and add tests (#48) * codeListId and hqmfOid are both needed for sdc uniqueness * Add descriptive error message if model cannot be found * 2019 standards update (#63) * 2019 standards update entry point fix (#54) * fixed gem entry point file to be named properly * fix issue with loading api uploaded files (#55) * [Security] Bump nokogiri from 1.10.3 to 1.10.4 * Bump cqm-models version to 3.0.0 * [Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0 (#67) * [Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0 Updates the requirements on [rubyzip](https://github.com/rubyzip/rubyzip) to permit the latest version. - [Release notes](https://github.com/rubyzip/rubyzip/releases) - [Changelog](https://github.com/rubyzip/rubyzip/blob/master/Changelog.md) - [Commits](rubyzip/rubyzip@v1.2.3...v2.0.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Updated rubyzip dependency to be less than version 2.x, which requires ruby 2.4 * BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages * BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages * BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages * Bonnie-593(ONCJira) test case fix * BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages Fixed vulnerability: sparklemotion/nokogiri#1943 * BONNIE-587 Error loading VSAC value sets(ONC jira id) * Updated version of bonnie_version cqm-parser branch (#71) * Updated version of bonnie_version cqm-parser branch * Updated cqm-parser (binnie_viersion branch) * Remove unnecessary fixtures and re-include test_5_4_CQL_measure_with_drc Co-authored-by: hossenlopp <hossenlopp@mitre.org> Co-authored-by: Luke Osborne <luke.w.osborne@gmail.com> Co-authored-by: dczulada <dczulada@users.noreply.github.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Ashok Dongare <ashok.dongare@semanticbits.com>

* Fixed SDC loading to work with newer DRC measures. And cherry-pick work from master. (#39) * Fixed SDC loading to work with newer DRC measures. - Fixed issues with most data criteria getting thrown out. * Bring over dependabot nokogiri update and the simplexml_parser removal from #30. [Security] Update nokogiri requirement from ~> 1.8.5 to >= 1.8.5, < 1.11.0 Updates the requirements on [nokogiri](https://github.com/sparklemotion/nokogiri) to permit the latest version. - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md) - [Commits](sparklemotion/nokogiri@v1.8.5...v1.10.3) * Add the hqmf identifier to a statement reference (#25) * Port ratio/proportional cv fix from hds and add tests (#48) * codeListId and hqmfOid are both needed for sdc uniqueness * Add descriptive error message if model cannot be found * 2019 standards update (#63) * 2019 standards update entry point fix (#54) * fixed gem entry point file to be named properly * fix issue with loading api uploaded files (#55) * [Security] Bump nokogiri from 1.10.3 to 1.10.4 * Bump cqm-models version to 3.0.0 * [Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0 (#67) * [Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0 Updates the requirements on [rubyzip](https://github.com/rubyzip/rubyzip) to permit the latest version. - [Release notes](https://github.com/rubyzip/rubyzip/releases) - [Changelog](https://github.com/rubyzip/rubyzip/blob/master/Changelog.md) - [Commits](rubyzip/rubyzip@v1.2.3...v2.0.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Updated rubyzip dependency to be less than version 2.x, which requires ruby 2.4 * BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages * BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages * BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages * Bonnie-593(ONCJira) test case fix * BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages Fixed vulnerability: sparklemotion/nokogiri#1943 * BONNIE-587 Error loading VSAC value sets(ONC jira id) * Updated version of bonnie_version cqm-parser branch (#71) * Updated version of bonnie_version cqm-parser branch * Updated cqm-parser (binnie_viersion branch) * BONNIEMAT-614 Bonnie only processing one of two measure observations(oncjira) * [Security] Bump nokogiri from 1.10.5 to 1.10.8 (#76) Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.5 to 1.10.8. **This update includes a security fix.** - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md) - [Commits](sparklemotion/nokogiri@v1.10.5...v1.10.8) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * [Security] Bump rake from 12.3.1 to 12.3.3 (#77) Bumps [rake](https://github.com/ruby/rake) from 12.3.1 to 12.3.3. **This update includes a security fix.** - [Release notes](https://github.com/ruby/rake/releases) - [Changelog](https://github.com/ruby/rake/blob/master/History.rdoc) - [Commits](ruby/rake@v12.3.1...v12.3.3) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * MAT1385_rails_upgrade_bv (#87) * made necessary upgrades to line up with bonnie's rails upgrade -> 5.2 * removed deprecated require * updated codecov (0.1.14 -> 0.2.5) and json (2.1.0 -> 2.3.1) to fix 'Title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)' * MAT-1308_update_cqm_models (#107) * cqm-models 3.0.0 -> 3.0.3 * ran bundle install * Mat 1708 (#112) * BONNIEMAT-623 & BONNIEMAT-629 cql-integration change * cqm-models version upgrade * [MAT-1757] Replacing VSAC Username/Password with API Key in VSAC Calls (#114) * Replacing vsac username/password with api key. * Checking for nil via safe navigation on single_code_concepts hash before checking sub-hash. When QDM datatype template has includeSubTemplate, the single_code_concepts hash will not have a related key to access the sub-hash. * Replacing safe nav operator with Hash.dig to better handle the nested hashes. * pull in cqm-model v3.0.6 version (#129) * MAT-2803 (#143) * MAT-2803 Update Bonnie to support UTF8 - QDM * Ruby 2.7.2 warnings fix * MAT-2647 Update cqm-parsers to QDM 5.6 (#148) * MAT-2647 Update cqm-parsers to QDM 5.6 * MAT-2647 Update cqm-parsers to QDM 5.6 * added git actions * removed travis.yaml * Integrate from cqm-models MAT-2993 Failed to initialize Data element with class attribute in Bonnie (#149) * ecurity vulnerabilty nokogiry (#150) * MAT-2837: Using published version of cqm-models (v4.0.0) instead of branch * bump nokogiri in case of security vulnerability * Baseline for v4.0.0 release * update Gemfile * git ignore Gemfile.lock * move ci workflow and add gitleaks.toml * address rubocop concerns * revert activesupport to support rails 5 * Bring mongoid back to 6 Co-authored-by: hossenlopp <hossenlopp@mitre.org> Co-authored-by: Luke Osborne <lwosborne@mitre.org> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Ashok <ashok.dongare@semanticbits.com> Co-authored-by: Daniel Mee <danmee10@gmail.com> Co-authored-by: Joe Kotanchik <56264529+jkotanchik-SB@users.noreply.github.com> Co-authored-by: Joe Kotanchik <joseph.kotanchik@semanticbits.com> Co-authored-by: Andrew Bird <andrew.bird@semanticbits.com>

dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Oct 1, 2019

AndrewBird81 requested review from lukoktonos and jbradl11 October 1, 2019 18:53

Updated rubyzip dependency to be less than version 2.x, which require…

71e9f7e

…s ruby 2.4

lukoktonos approved these changes Oct 1, 2019

View reviewed changes

AndrewBird81 approved these changes Oct 1, 2019

View reviewed changes

AndrewBird81 merged commit 61a1064 into bonnie_version Oct 1, 2019

AndrewBird81 deleted the dependabot/bundler/bonnie_version/rubyzip-gte-1.2.2-and-lt-2.1.0 branch October 1, 2019 20:15

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0 #67

[Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0 #67

dependabot-preview bot commented Oct 1, 2019

[Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0 #67

[Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0 #67

Conversation

dependabot-preview bot commented Oct 1, 2019

v2.0.0

v1.3.0

v1.2.4

2.0.0 (2019-09-25)

1.3.0 (2019-09-25)

1.2.4 (2019-09-06)