From 16cef4c14c455c4b7407e0e44b0b7fc7e9c9ab8a Mon Sep 17 00:00:00 2001
From: Robb Kidd <rkidd@chef.io>
Date: Tue, 21 Aug 2018 12:11:41 -0400
Subject: [PATCH] use an updated OpenSSL by updating omnibus & omnibus-software

This will pull in the new OpenSSL default version of 1.0.2p which
addresses two CVEs.

* Client DoS due to large DH parameter (CVE-2018-0732)
* Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)

Both of these CVEs are categorized as Low by the OpenSSL project.
Neither are particularly present in Supermarket's business processes.
Updating to this version will quiet vulnerability scanners.

Signed-off-by: Robb Kidd <rkidd@chef.io>
---
 omnibus/Gemfile.lock | 190 +++++++++++++++++--------------------------
 1 file changed, 76 insertions(+), 114 deletions(-)

diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock
index 8b4ae8a62..ab9e0f726 100644
--- a/omnibus/Gemfile.lock
+++ b/omnibus/Gemfile.lock
@@ -1,6 +1,6 @@
 GIT
   remote: https://github.com/chef/omnibus-software.git
-  revision: 0cb3a8dfb6cebd56684c1d4609a676959389e4c5
+  revision: 3511a7f7d237bf6875dce88e8627055d6cd61cbe
   specs:
     omnibus-software (4.0.0)
       chef-sugar (>= 3.4.0)
@@ -8,17 +8,17 @@ GIT
 
 GIT
   remote: https://github.com/chef/omnibus.git
-  revision: 41c5d2eaa819587b631d893e613612a96031c8af
+  revision: 386cd17f6a6365bd4585761a2738b4561fbaea97
   specs:
-    omnibus (5.6.10)
+    omnibus (6.0.1)
       aws-sdk (~> 2)
-      chef-sugar (~> 3.3)
+      chef-sugar (>= 3.3)
       cleanroom (~> 1.0)
       ffi-yajl (~> 2.2)
       license_scout (~> 1.0)
       mixlib-shellout (~> 2.0)
       mixlib-versioning
-      ohai (>= 8.6.0.alpha.1, < 15)
+      ohai (>= 13, < 15)
       pedump
       ruby-progressbar (~> 1.7)
       thor (~> 0.18)
@@ -29,63 +29,49 @@ GEM
     addressable (2.5.2)
       public_suffix (>= 2.0.2, < 4.0)
     awesome_print (1.8.0)
-    aws-sdk (2.11.27)
-      aws-sdk-resources (= 2.11.27)
-    aws-sdk-core (2.11.27)
+    aws-sdk (2.11.112)
+      aws-sdk-resources (= 2.11.112)
+    aws-sdk-core (2.11.112)
       aws-sigv4 (~> 1.0)
       jmespath (~> 1.0)
-    aws-sdk-resources (2.11.27)
-      aws-sdk-core (= 2.11.27)
-    aws-sigv4 (1.0.2)
-    berkshelf (6.3.1)
-      buff-config (~> 2.0)
-      buff-extensions (~> 2.0)
-      chef (>= 12.7.2)
+    aws-sdk-resources (2.11.112)
+      aws-sdk-core (= 2.11.112)
+    aws-sigv4 (1.0.3)
+    berkshelf (7.0.6)
+      chef (>= 13.6.52)
+      chef-config
       cleanroom (~> 1.0)
       concurrent-ruby (~> 1.0)
-      faraday (~> 0.9)
-      httpclient (~> 2.7)
-      minitar (~> 0.5, >= 0.5.4)
+      minitar (>= 0.6)
       mixlib-archive (~> 0.4)
+      mixlib-config (>= 2.2.5)
       mixlib-shellout (~> 2.0)
       octokit (~> 4.0)
       retryable (~> 2.0)
-      ridley (~> 5.0)
       solve (~> 4.0)
-      thor (~> 0.19, < 0.19.2)
-    buff-config (2.0.0)
-      buff-extensions (~> 2.0)
-      varia_model (~> 0.6)
-    buff-extensions (2.0.0)
-    buff-ignore (1.2.0)
-    buff-ruby_engine (1.0.0)
-    buff-shell_out (1.1.0)
-      buff-ruby_engine (~> 1.0)
+      thor (>= 0.20)
     builder (3.2.3)
-    celluloid (0.16.0)
-      timers (~> 4.0.0)
-    celluloid-io (0.16.2)
-      celluloid (>= 0.16.0)
-      nio4r (>= 1.1.0)
-    chef (12.21.31)
+    chef (14.3.37)
       addressable
       bundler (>= 1.10)
-      chef-config (= 12.21.31)
-      chef-zero (>= 4.8, < 13)
+      chef-config (= 14.3.37)
+      chef-zero (>= 13.0)
       diff-lcs (~> 1.2, >= 1.2.4)
       erubis (~> 2.7)
+      ffi (~> 1.9, >= 1.9.25)
       ffi-yajl (~> 2.2)
       highline (~> 1.6, >= 1.6.9)
       iniparse (~> 1.4)
+      iso8601 (~> 0.9.1)
       mixlib-archive (~> 0.4)
-      mixlib-authentication (~> 1.4)
+      mixlib-authentication (~> 2.1)
       mixlib-cli (~> 1.7)
-      mixlib-log (~> 1.3)
+      mixlib-log (~> 2.0, >= 2.0.3)
       mixlib-shellout (~> 2.0)
       net-sftp (~> 2.1, >= 2.1.2)
-      net-ssh (>= 2.9, < 5.0)
+      net-ssh (~> 4.2)
       net-ssh-multi (~> 1.2, >= 1.2.1)
-      ohai (>= 8.6.0.alpha.1, < 13)
+      ohai (~> 14.0)
       plist (~> 3.2)
       proxifier (~> 1.0)
       rspec-core (~> 3.5)
@@ -96,16 +82,17 @@ GEM
       specinfra (~> 2.10)
       syslog-logger (~> 1.6)
       uuidtools (~> 2.1.5)
-    chef-config (12.21.31)
+    chef-config (14.3.37)
       addressable
       fuzzyurl
-      mixlib-config (~> 2.0)
+      mixlib-config (>= 2.2.12, < 3.0)
       mixlib-shellout (~> 2.0)
-    chef-sugar (3.6.0)
-    chef-zero (5.3.2)
+      tomlrb (~> 1.2)
+    chef-sugar (4.1.0)
+    chef-zero (14.0.6)
       ffi-yajl (~> 2.2)
       hashie (>= 2.0, < 4.0)
-      mixlib-log (~> 1.3)
+      mixlib-log (~> 2.0)
       rack (~> 2.0)
       uuidtools (~> 2.1)
     citrus (3.0.2)
@@ -113,9 +100,9 @@ GEM
     concurrent-ruby (1.0.5)
     diff-lcs (1.3)
     erubis (2.7.0)
-    faraday (0.14.0)
+    faraday (0.15.2)
       multipart-post (>= 1.2, < 3)
-    ffi (1.9.23)
+    ffi (1.9.25)
     ffi-yajl (2.3.1)
       libyajl2 (~> 1.2)
     fuzzyurl (0.9.0)
@@ -123,19 +110,18 @@ GEM
       ffi (>= 1.0.1)
     gyoku (1.3.1)
       builder (>= 2.1.2)
-    hashie (3.5.7)
+    hashie (3.6.0)
     highline (1.7.10)
-    hitimes (1.2.6)
     httpclient (2.8.3)
     iniparse (1.4.4)
     iostruct (0.0.4)
     ipaddress (0.8.3)
-    jmespath (1.3.1)
-    json (2.1.0)
-    kitchen-vagrant (1.3.0)
+    iso8601 (0.9.1)
+    jmespath (1.4.0)
+    kitchen-vagrant (1.3.3)
       test-kitchen (~> 1.4)
     libyajl2 (1.2.0)
-    license_scout (1.0.1)
+    license_scout (1.0.15)
       ffi-yajl (~> 2.2)
       mixlib-shellout (~> 2.2)
       toml-rb (~> 1.0)
@@ -144,20 +130,20 @@ GEM
       little-plugger (~> 1.1)
       multi_json (~> 1.10)
     minitar (0.6.1)
-    mixlib-archive (0.4.1)
+    mixlib-archive (0.4.13)
       mixlib-log
-    mixlib-authentication (1.4.2)
+    mixlib-authentication (2.1.1)
     mixlib-cli (1.7.0)
-    mixlib-config (2.2.6)
+    mixlib-config (2.2.13)
       tomlrb
-    mixlib-install (3.9.0)
+    mixlib-install (3.11.5)
       mixlib-shellout
       mixlib-versioning
       thor
-    mixlib-log (1.7.1)
-    mixlib-shellout (2.3.2)
+    mixlib-log (2.0.4)
+    mixlib-shellout (2.4.0)
     mixlib-versioning (1.2.2)
-    molinillo (0.6.4)
+    molinillo (0.6.6)
     multi_json (1.13.1)
     multipart-post (2.0.0)
     net-scp (1.2.1)
@@ -170,19 +156,18 @@ GEM
     net-ssh-multi (1.2.1)
       net-ssh (>= 2.6.5)
       net-ssh-gateway (>= 1.2.0)
-    net-telnet (0.1.1)
-    nio4r (2.2.0)
+    net-telnet (0.2.0)
     nori (2.6.0)
-    octokit (4.8.0)
+    octokit (4.10.0)
       sawyer (~> 0.8.0, >= 0.5.3)
-    ohai (8.26.1)
-      chef-config (>= 12.5.0.alpha.1, < 14)
+    ohai (14.4.0)
+      chef-config (>= 12.8, < 15)
       ffi (~> 1.9)
       ffi-yajl (~> 2.2)
       ipaddress
-      mixlib-cli
+      mixlib-cli (>= 1.7.0)
       mixlib-config (~> 2.0)
-      mixlib-log (>= 1.7.1, < 2.0)
+      mixlib-log (~> 2.0, >= 2.0.1)
       mixlib-shellout (~> 2.0)
       plist (~> 3.1)
       systemu (~> 2.6.4)
@@ -194,49 +179,31 @@ GEM
       progressbar
       zhexdump (>= 0.0.2)
     plist (3.4.0)
-    progressbar (1.9.0)
+    progressbar (1.10.0)
     proxifier (1.0.3)
-    public_suffix (3.0.2)
-    rack (2.0.3)
+    public_suffix (3.0.3)
+    rack (2.0.5)
     retryable (2.0.4)
-    ridley (5.1.1)
-      addressable
-      buff-config (~> 2.0)
-      buff-extensions (~> 2.0)
-      buff-ignore (~> 1.2)
-      buff-shell_out (~> 1.0)
-      celluloid (~> 0.16.0)
-      celluloid-io (~> 0.16.1)
-      chef-config (>= 12.5.0)
-      erubis
-      faraday (~> 0.9)
-      hashie (>= 2.0.2, < 4.0.0)
-      httpclient (~> 2.7)
-      json (>= 1.7.7)
-      mixlib-authentication (>= 1.3.0)
-      retryable (~> 2.0)
-      semverse (~> 2.0)
-      varia_model (~> 0.6)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
+      rspec-support (~> 3.8.0)
     rspec-its (1.2.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.7.0)
+    rspec-mocks (3.8.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-support (3.7.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
     rspec_junit_formatter (0.2.3)
       builder (< 4)
       rspec-core (>= 2, < 4, != 2.12.0)
-    ruby-progressbar (1.9.0)
+    ruby-progressbar (1.10.0)
     rubyntlm (0.6.2)
     rubyzip (1.2.1)
     sawyer (0.8.1)
@@ -252,33 +219,28 @@ GEM
     solve (4.0.0)
       molinillo (~> 0.6)
       semverse (>= 1.1, < 3.0)
-    specinfra (2.73.1)
+    specinfra (2.76.0)
       net-scp
-      net-ssh (>= 2.7, < 5.0)
+      net-ssh (>= 2.7)
       net-telnet
       sfl
     syslog-logger (1.6.8)
     systemu (2.6.5)
-    test-kitchen (1.20.0)
+    test-kitchen (1.23.2)
       mixlib-install (~> 3.6)
       mixlib-shellout (>= 1.2, < 3.0)
       net-scp (~> 1.1)
       net-ssh (>= 2.9, < 5.0)
       net-ssh-gateway (~> 1.2)
-      thor (~> 0.19, < 0.19.2)
+      thor (~> 0.19)
       winrm (~> 2.0)
       winrm-elevated (~> 1.0)
-      winrm-fs (~> 1.1.0)
-    thor (0.19.1)
-    timers (4.0.4)
-      hitimes
-    toml-rb (1.1.1)
+      winrm-fs (~> 1.1)
+    thor (0.20.0)
+    toml-rb (1.1.2)
       citrus (~> 3.0, > 3.0)
-    tomlrb (1.2.6)
+    tomlrb (1.2.7)
     uuidtools (2.1.5)
-    varia_model (0.6.0)
-      buff-extensions (~> 2.0)
-      hashie (>= 2.0.2, < 4.0.0)
     winrm (2.2.3)
       builder (>= 2.1.2)
       erubis (~> 2.7)
@@ -291,7 +253,7 @@ GEM
     winrm-elevated (1.1.0)
       winrm (~> 2.0)
       winrm-fs (~> 1.0)
-    winrm-fs (1.1.1)
+    winrm-fs (1.2.1)
       erubis (~> 2.7)
       logging (>= 1.6.1, < 3.0)
       rubyzip (~> 1.1)