search

segiddins / segiddins.me

http://segiddins.me/
0 stars 0 forks source link

[Security] Bump ffi from 1.9.8 to 1.11.3 #29

Closed dependabot-preview[bot] closed 4 years ago

dependabot-preview[bot] commented 4 years ago

Bumps ffi from 1.9.8 to 1.11.3. This update includes a security fix.

Vulnerabilities fixed *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ffi/CVE-2018-1000201.yml).* > **ruby-ffi DDL loading issue on Windows OS** > ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be > hijacked on Windows OS, when a Symbol is used as DLL name instead of a String > This vulnerability appears to have been fixed in v1.9.24 and later. > > Patched versions: >= 1.9.24 > Unaffected versions: none
Changelog *Sourced from [ffi's changelog](https://github.com/ffi/ffi/blob/master/CHANGELOG.md).* > 1.11.3 / 2019-11-25 > ------------------- > > Removed: > * Remove support for tainted objects which cause deprecation warnings in ruby-2.7. [#730](https://github-redirect.dependabot.com/ffi/ffi/issues/730) > > > 1.11.2 / 2019-11-11 > ------------------- > > Added: > * Add DragonFlyBSD as a platform. [#724](https://github-redirect.dependabot.com/ffi/ffi/issues/724) > > Changed: > * Sort all types.conf files, so that files and changes are easier to compare. > * Regenerated type conf for freebsd12 and x86_64-linux targets. [#722](https://github-redirect.dependabot.com/ffi/ffi/issues/722) > * Remove MACOSX_DEPLOYMENT_TARGET that was targeting very old version 10.4. [#647](https://github-redirect.dependabot.com/ffi/ffi/issues/647) > * Fix library name mangling for non glibc Linux/UNIX. [#727](https://github-redirect.dependabot.com/ffi/ffi/issues/727) > * Fix compiler warnings raised by ruby-2.7 > * Update libffi to latest master. > > > 1.11.1 / 2019-05-20 > ------------------- > > Changed: > * Raise required ruby version to >=2.0. [#699](https://github-redirect.dependabot.com/ffi/ffi/issues/699), [#700](https://github-redirect.dependabot.com/ffi/ffi/issues/700) > * Fix a possible linker error on ruby < 2.3 on Linux. > > > 1.11.0 / 2019-05-17 > ------------------- > This version was yanked on 2019-05-20 to fix an install issue on ruby-1.9.3. [#700](https://github-redirect.dependabot.com/ffi/ffi/issues/700) > > Added: > * Add ability to disable or force use of system libffi. [#669](https://github-redirect.dependabot.com/ffi/ffi/issues/669) > Use like `gem inst ffi -- --enable-system-libffi` . > * Add ability to call FFI callbacks from outside of FFI call frame. [#584](https://github-redirect.dependabot.com/ffi/ffi/issues/584) > * Add proper documentation to FFI::Generator and ::Task > * Add gemspec metadata. [#696](https://github-redirect.dependabot.com/ffi/ffi/issues/696), [#698](https://github-redirect.dependabot.com/ffi/ffi/issues/698) > > Changed: > * Fix stdcall on Win32. [#649](https://github-redirect.dependabot.com/ffi/ffi/issues/649), [#669](https://github-redirect.dependabot.com/ffi/ffi/issues/669) > * Fix load paths for FFI::Generator::Task > * Fix FFI::Pointer#read_string(0) to return a binary String. [#692](https://github-redirect.dependabot.com/ffi/ffi/issues/692) > * Fix benchmark suite so that it runs on ruby-2.x > * Move FFI::Platform::CPU from C to Ruby. [#663](https://github-redirect.dependabot.com/ffi/ffi/issues/663) > * Move FFI::StructByReference to Ruby. [#681](https://github-redirect.dependabot.com/ffi/ffi/issues/681) > * Move FFI::DataConverter to Ruby ([#661](https://github-redirect.dependabot.com/ffi/ffi/issues/661)) > * Various cleanups and improvements of specs and benchmarks > ... (truncated)
Commits - [`6ea465e`](https://github.com/ffi/ffi/commit/6ea465efa2d79708035463fa54456fa6744a7e34) Bump VERSION to 1.11.3 - [`418e2b3`](https://github.com/ffi/ffi/commit/418e2b3bf0db859eb0e754a573bcca435054b5ef) Prepare CHANGELOG for 1.11.3 - [`b924884`](https://github.com/ffi/ffi/commit/b9248848ad52893ffe1ad0ac6e97f207b0119346) Merge branch 'y-yagi-remove_taint_support' - [`7ce0a9a`](https://github.com/ffi/ffi/commit/7ce0a9adee3212c0beac42ca7bd6b07aa97bdb90) Remove taint support - [`a0386c8`](https://github.com/ffi/ffi/commit/a0386c8e334697cbccbc8db74c2587934e341900) Update CHANGELOG [ci skip] - [`4c8051e`](https://github.com/ffi/ffi/commit/4c8051ecc963caadb8864a5ddf8d3fba76db3949) Update libffi to latest master - [`8121e6f`](https://github.com/ffi/ffi/commit/8121e6fd84e90782534e6f7fc7ce7b80258126bd) Update CHANGELOG for 1.11.2 - [`1b64c01`](https://github.com/ffi/ffi/commit/1b64c011496172e22daf29ed88f570faa29a6ceb) Bump VERSION to 1.11.2 - [`d18826d`](https://github.com/ffi/ffi/commit/d18826d2501368ffcf13dc7d8b2956bcf95cdf51) Merge pull request [#722](https://github-redirect.dependabot.com/ffi/ffi/issues/722) from adam12/regenerate-freebsd12-types - [`7f909c2`](https://github.com/ffi/ffi/commit/7f909c2245a4406c3f39d81b856c1d4bfdd4f365) Fix library name mangling for non glibc Linux/UNIX - Additional commits viewable in [compare view](https://github.com/ffi/ffi/compare/1.9.8...1.11.3)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
dependabot-preview[bot] commented 4 years ago

Superseded by #31.