Merge pull request #2371 from cloudfoundry/bump-json

Bump json gem for CVE-2020-10663

packages/director/packaging

@@ -24,7 +24,7 @@ popd > /dev/null
 
 cat > Gemfile <<EOF
 # Explicitly require vendored version to avoid requiring builtin json gem
-gem 'json', '2.3.0'
+gem 'json', '2.6.1'
 
 gem 'bosh-director'
 gem 'mysql2'

packages/health_monitor/packaging

@@ -6,7 +6,7 @@ source /var/vcap/packages/ruby-3.1.0-r0.81.0/bosh/compile.env
 
 cat > Gemfile <<EOF
 # Explicitly require vendored version to avoid requiring builtin json gem
-gem 'json', '2.3.0'
+gem 'json', '2.6.1'
 gem 'bosh-monitor'
 EOF
 

src/Gemfile

@@ -11,9 +11,9 @@ gem 'bosh_common', path: 'bosh_common'
 
 gem 'rake', '~>13.0.3'
 
-# json version is hardcoded in release director, health_monitor and registry packages
+# json version is hardcoded in release director and health_monitor
 # when modified needs to be updated there as well
-gem 'json', '=2.3.0'
+gem 'json', '=2.6.1'
 
 gem 'talentbox-delayed_job_sequel', '~>4.3'
 

src/Gemfile.lock

@@ -155,7 +155,7 @@ GEM
     i18n (1.8.2)
       concurrent-ruby (~> 1.0)
     jaro_winkler (1.5.4)
-    json (2.3.0)
+    json (2.6.1)
     little-plugger (1.1.4)
     logging (2.2.2)
       little-plugger (~> 1.1)
@@ -312,7 +312,7 @@ DEPENDENCIES
   factory_bot (~> 6.2)
   fakefs
   httpclient
-  json (= 2.3.0)
+  json (= 2.6.1)
   machinist (~> 1.0)
   minitar
   mysql2