Update Bundler version to 2.2.33 (!5889) · Merge requests · GitLab.org / omnibus-gitlab

Gerard Hickey requested to merge 332502_update_bundler into master Feb 07, 2022

Context

For investigation: is there somewhere we define the version of bundler to be installed/used? If so, we might need to update it to resolve this CVE. At least according to the Gemfile.lock, we have recently bundled with a version (2.1.4) of bundler that is vulnerable to CVE-2020-36327:

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application

Solution

Upgrade the required Bundler version to >= 2.2.18

Closes gitlab-org/gitlab#332502

Edited Feb 15, 2022 by Gerard Hickey

Update Bundler version to 2.2.33

Context

Solution

Merge request reports