From 35b9be594a0801bcad93474d6522ff617c817086 Mon Sep 17 00:00:00 2001 From: Yann Lugrin Date: Tue, 5 Sep 2023 10:35:00 +0200 Subject: [PATCH 1/3] Update rake require to version 12.3.3 There is an OS command injection vulnerability in Ruby Rake before 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |. --- capdrupal.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/capdrupal.gemspec b/capdrupal.gemspec index 98c857c..a6d24ec 100644 --- a/capdrupal.gemspec +++ b/capdrupal.gemspec @@ -25,5 +25,5 @@ Gem::Specification.new do |spec| spec.add_dependency 'capistrano-composer', '~> 0.0.6' spec.add_development_dependency 'bundler', '~> 2.0' - spec.add_development_dependency 'rake', '~> 10.0.0' + spec.add_development_dependency 'rake', '>= 12.3.3' end From a83138fc01d88d8eb7aa20c5a3b0ba4d214393c7 Mon Sep 17 00:00:00 2001 From: Yann Lugrin Date: Tue, 5 Sep 2023 13:24:53 +0200 Subject: [PATCH 2/3] Remove rake dependency Already in capistrano dependencies --- capdrupal.gemspec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/capdrupal.gemspec b/capdrupal.gemspec index a6d24ec..98ea9e0 100644 --- a/capdrupal.gemspec +++ b/capdrupal.gemspec @@ -3,7 +3,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib) Gem::Specification.new do |spec| spec.name = 'capdrupal' - spec.version = '3.0.4' + spec.version = '3.0.5' spec.authors = ['Kevin Wenger', 'Yann Lugrin', 'Gilles Doge', 'Toni Fisler', 'Simon Perdrisat', 'Robert Wohleb', 'Kim Pepper'] spec.email = ['hello@antistatique.net'] @@ -25,5 +25,4 @@ Gem::Specification.new do |spec| spec.add_dependency 'capistrano-composer', '~> 0.0.6' spec.add_development_dependency 'bundler', '~> 2.0' - spec.add_development_dependency 'rake', '>= 12.3.3' end From 9c43b1b08da80e4220ccaf1fc13b8ecd27bd2a71 Mon Sep 17 00:00:00 2001 From: Yann Lugrin Date: Tue, 5 Sep 2023 13:26:42 +0200 Subject: [PATCH 3/3] Prepare release --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 899146e..7ae0f36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## NEXT RELEASE +## 3.0.5 (2023-09-05) + - Remove `rake` dependency following security issue (to follow capitrano requirement) + ## 3.0.4 (2023-04-25) - add command `drupal:security:obscurity:files` to obfuscate Drupal sensitive files by deletion - add command `drupal:security:obscurity:htaccess` to obfuscate Drupal sensitive files by htaccess