Update RedCloth to 4.3.2 for CVE-2012-6684
What does this MR do?
To fix XSS (CVE-2012-6684), upgrade RedCloth to 4.3.2.
Are there points in the code the reviewer needs to double check?
No.
Why was this MR needed?
Security vulnerability in RedCloth (CVE-2012-6684) should be fixed to provide GitLab as a secure software.
What are the relevant issue numbers?
Closes #19169 (closed)
cf. !2037 (merged), !2071 (merged)
Does this MR meet the acceptance criteria?
-
CHANGELOG entry added - [n/a] Documentation created/updated
- [n/a] API support added
- Tests
- [n/a] Added for this feature/bug
-
All builds are passing
-
Conform by the style guides -
Branch has no merge conflicts with master(if you do - rebase it please) -
Squashed related commits together
Merge request reports
Activity
Marked the task CHANGELOG entry added as completed
Marked the task Squashed related commits together as completed
Marked the task Conform by the style guides as completed
Note: the original PR was accepted on 2016-04-30 while @dzaporozhets 's PR was finally rejected then.
Added gem update ~14106 labels
Last reply by username-removed-100770-
@stanhu patch release?
Milestone changed to %8.9
@stanhu what is next step here?
I think we should target this for 8.9.5. Do we need to backport?
/cc: @rspeicher
-
@tnir Can you rebase master and bump the CHANGELOG to 8.9.5?
OMG finally.
I think we should target this for 8.9.5. Do we need to backport?
@stanhu Agreed about 8.9.5. I'm not too concerned about backporting -- this gem has been vulnerable for as long as I can remember. WDYT?
Added 262 commits:
-
f704db5a...fc3402b7 - 260 commits from branch
gitlab-org:master - b6863388 - Update RedCloth to 4.3.2 for CVE-2012-6684
- a034374f - Update CHANGELOG
-
f704db5a...fc3402b7 - 260 commits from branch
