Closed shubhamshinde360 closed 1 month ago
Ran impacted projects for all applicable platforms:
agent-runtime-7.x: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3109/
solaris-11-sparc failed due to xz package version getting updated upstream. It passes here: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3111/
pe-bolt-server-runtime-main: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3110/
We will be upgrading to ruby 3.2.5 to address the CVEs in main. This PR addresses the CVEs in 7.x.
It looks good to me, though somewhat unrelated to your PR, why does pe-bolt-server-runtime include the rexml gem component? It's a bundled gem in ruby 3.2 so seems unnecessary to be explicitly added.
Ah it looks like it was added in f29521d39779b8f6f38575e5962034ba56e7eb93 in order to be compatible with JRuby 9.4. So we'll need to get approval from skeletor to merge this.
If it's ok to bump rexml for pe-bolt-server-runtime-main, could you update your commit message?
If we don't want to bump rexml for pe-bolt-server-runtime-main, then we should allow the version to be passed in. Have it default to the latest version and update pe-bolt-server-runtime-main to pass in the older version. Note how we override rubygem_deep_merge_version
in some projects.
…CVE-2024-39908 in 7.x