🚨 [security] Update json: 2.2.0 → 2.3.0 (minor)

[depfu]

---

🚨 Your version of json has known security vulnerabilities 🚨

Advisory: CVE-2020-10663
Disclosed: March 19, 2020
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Unsafe Object Creation Vulnerability in JSON (Additional fix)

When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).

See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code.

Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ json (indirect, 2.2.0 → 2.3.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 53 commits:

• v2.3.0
• Add some more recent jruby
• Make tests green on jruby
• Update travis config
• Ignore log files
• Merge pull request #391 from headius/prep_2.3.0
• Bump versions for 2.3.0.
• Merge pull request #390 from flori/relax-test-unit
• relax test-unit version for old ruby
• Merge branch 'zenspider-zenspider/ruby-2.7'
• Merge branch 'zenspider/ruby-2.7' of https://github.com/zenspider/json into zenspider-zenspider/ruby-2.7
• Merge pull request #388 from flori/backport-ruby-core
• Skip useless test
• Bump to test-unit 3 to get warnings cleaned up.
• Fix warning from trying to access an uninitialized ivar.
• Fix syntax warnings from tests.
• Minor cleanup for ruby 2.7 warnings and failures.
• Removed duplicate file
• Add NaN / Infinity / MinusInfinity to mark list
• ext/json/parser/prereq.mk: Add a "automatically generated" header
• ext/json/parser/parser.rl: Use "signed" char to contain negative values
• Add `GC.compact` again.
• ext/json/parser/parser.rl: Update the source code of parser.c
• Suppress uninitialized instance variable warnings
• Removed useless `freeze`s from gemspec files
• Drop fossil rubygems support
• Removed binary line
• Fix JSON::Parser against bigdecimal updates
• [flori/json] Fixed unexpected illegal/malformed utf-8 error
• Ignore warnings about ambiguous first argument of regexp with assert match.
• Make rb_scan_args handle keywords more similar to Ruby methods (#2460)
• Ignore warnings about ambiguous first argument with the negative integer.
• Remove unused constant.
• Look up constant instead of caching in a global
• Merge pull request #381 from olleolleolle/patch-1
• Gemspec: Drop EOL'd property rubyforge_project
• Recreate gemspecs
• Merge pull request #367 from sho-h/add-ascii_only-document
• Merge pull request #378 from olleolleolle/patch-1
• Remove RubyForge homepage reference
• Use newest rubygems
• Pass args all #to_json in json/add/*.
• Add LICENSE file
• Merge branch 'master' of github.com:flori/json
• Does not check whether illegal utf-8 if string has ascii only.
• Convert string encoding to UTF-8 only when needed
• Convert String encoding using `rb_str_encode()`
• Add shortcut converting to String
• Convert Hash object using rb_hash_foreach()
• Only attempt to resize strings not other objects
• Test on newer rubies
• Merge pull request #376 from olleolleolle/patch-1
• README: Docs at rubydoc.info, not on rubyforge

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)