[security] updated sidekiq to fix 3 security vulnerabilities

2025-02-19 13:54:25 +01:00 · 2019-07-29 11:34:59 +02:00 · 2019-07-29 11:34:59 +02:00 · 1be7bda603
commit 1be7bda603
parent 3a0807b354
4 changed files with 28 additions and 26 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,9 +1,12 @@
 # Changelog Fab Manager

 - Fix a bug: no user can be created after the last member was deleted
- Fix a security issue: updated to lodash 4.17.14 to fix [CVE-2019-10744](https://github.com/lodash/lodash/pull/4336)
+- Fix a security issue: updated lodash to 4.17.14 to fix [CVE-2019-10744](https://github.com/lodash/lodash/pull/4336)
+- Fix a security issue: updated mini_magick to 4.9.4 to fix [CVE-2019-13574](https://nvd.nist.gov/vuln/detail/CVE-2019-13574)
+- Fix some security issues: updated bootstrap to 3.4.1 to fix [CVE-2019-8331](https://nvd.nist.gov/vuln/detail/CVE-2019-8331), [CVE-2019-14041](https://nvd.nist.gov/vuln/detail/CVE-2018-14041), and 3 other low severity CVE
+- Fix some security issues: updated sidekiq to 5.2.7 to fix XSS and CRSF issues
 - Removed dependency to jQuery UI
- Updated angular-xeditable
+- Updated angular-xeditable, to remove dependency to jquery 1.11.1

 ## v4.0.2 2019 July 10

--- a/3
+++ b/3
@ -97,7 +97,8 @@ gem 'friendly_id', '~> 5.1.0'
 gem 'aasm'

 # Background job processing
-gem 'sidekiq'
+gem 'sidekiq', '>= 3.4.2'
+gem 'redis-namespace'
 gem 'sinatra', require: false
 # Recurring jobs for Sidekiq
 gem 'sidekiq-cron'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -85,8 +85,6 @@ GEM
      activesupport (>= 3.2.0)
      json (>= 1.7)
      mime-types (>= 1.16)
-    celluloid (0.16.0)
-      timers (~> 4.0.0)
    chroma (0.0.1)
    chunky_png (1.3.4)
    cldr-plurals-runtime-rb (1.0.1)
@ -109,7 +107,7 @@ GEM
      sass-rails (<= 5.0.1)
      sprockets (< 2.13)
    concurrent-ruby (1.1.5)
-    connection_pool (2.2.0)
+    connection_pool (2.2.2)
    coveralls (0.8.16)
      json (>= 1.8, < 3)
      simplecov (~> 0.12.0)
@ -155,6 +153,8 @@ GEM
      multi_json
    equalizer (0.0.11)
    erubis (2.7.0)
+    et-orbi (1.2.1)
+      tzinfo
    eventmachine (1.0.9.1)
    execjs (2.7.0)
    faker (1.4.3)
@ -171,6 +171,9 @@ GEM
    forgery (0.6.0)
    friendly_id (5.1.0)
      activerecord (>= 4.0.0)
+    fugit (1.3.1)
+      et-orbi (~> 1.1, >= 1.1.8)
+      raabro (~> 1.1)
    globalid (0.4.2)
      activesupport (>= 4.2.0)
    has_secure_token (1.0.0)
@ -179,7 +182,6 @@ GEM
    hashery (2.1.2)
    hashie (3.5.7)
    hike (1.2.3)
-    hitimes (1.2.2)
    htmlentities (4.3.4)
    http (3.0.0)
      addressable (~> 2.3)
@ -289,6 +291,7 @@ GEM
    puma (3.10.0)
    pundit (1.0.0)
      activesupport (>= 3.0.0)
+    raabro (1.1.6)
    rack (1.6.11)
    rack-protection (1.5.5)
      rack
@ -336,9 +339,9 @@ GEM
    recurrence (1.3.0)
      activesupport
      i18n
-    redis (3.2.1)
-    redis-namespace (1.5.2)
-      redis (~> 3.0, >= 3.0.4)
+    redis (4.1.2)
+    redis-namespace (1.6.0)
+      redis (>= 3.0.4)
    ref (2.0.0)
    responders (2.1.0)
      railties (>= 4.2.0, < 5)
@ -358,8 +361,6 @@ GEM
    ruby-progressbar (1.7.5)
    ruby-rc4 (0.1.5)
    rubyzip (1.2.2)
-    rufus-scheduler (3.0.9)
-      tzinfo
    safe_yaml (1.0.4)
    sass (3.4.13)
    sass-rails (5.0.1)
@ -378,16 +379,14 @@ GEM
      activerecord (~> 4)
      activesupport (~> 4)
    sha3 (1.0.1)
-    sidekiq (3.3.4)
-      celluloid (>= 0.16.0)
-      connection_pool (>= 2.1.1)
-      json
-      redis (>= 3.0.6)
-      redis-namespace (>= 1.3.1)
-    sidekiq-cron (0.2.0)
-      rufus-scheduler (>= 2.0.24)
-      sidekiq (>= 2.17.3)
-      tilt (< 2.0.0)
+    sidekiq (5.2.7)
+      connection_pool (~> 2.2, >= 2.2.2)
+      rack (>= 1.5.0)
+      rack-protection (>= 1.5.0)
+      redis (>= 3.3.5, < 5)
+    sidekiq-cron (1.1.0)
+      fugit (~> 1.1)
+      sidekiq (>= 4.2.1)
    simple_oauth (0.3.1)
    simplecov (0.12.0)
      docile (~> 1.1.0)
@ -431,8 +430,6 @@ GEM
    thor (0.19.4)
    thread_safe (0.3.6)
    tilt (1.4.1)
-    timers (4.0.1)
-      hitimes
    tins (1.13.0)
    ttfunk (1.4.0)
    twitter (6.2.0)
@ -536,6 +533,7 @@ DEPENDENCIES
  rails_12factor
  rb-readline
  recurrence
+  redis-namespace
  responders (~> 2.0)
  rolify
  rubocop (~> 0.61.1)
@ -544,7 +542,7 @@ DEPENDENCIES
  sdoc (~> 0.4.0)
  seed_dump
  sha3
-  sidekiq
+  sidekiq (>= 3.4.2)
  sidekiq-cron
  sinatra
  spring
--- a/app/workers/open_api_trace_calls_count_worker.rb
+++ b/app/workers/open_api_trace_calls_count_worker.rb
@ -1,4 +1,4 @@
-class OpenAPITraceCallsCountWorker < ActiveJob::Base
+class OpenAPITraceCallsCountWorker < Sidekiq::Workers
  include Sidekiq::Worker
  sidekiq_options queue: 'default', retry: true