Bump netaddr gem to 1.5.3 to fix CVE-2019-17383

packages/director/packaging

@@ -22,6 +22,11 @@ pushd vendor/cache/eventmachine-* > /dev/null
   mv *.gem ../
 popd > /dev/null
 
+pushd vendor/cache/netaddr-rb-* > /dev/null
+  gem build netaddr.gemspec
+  mv *.gem ../
+popd > /dev/null
+
 cat > Gemfile <<EOF
 # Explicitly require vendored version to avoid requiring builtin json gem
 gem 'json', '2.6.1'

packages/director/spec

@@ -15,3 +15,4 @@ files:
 - vendor/cache/*.gem
 - vendor/cache/eventmachine-*/**
 - vendor/cache/extensions/**
+- vendor/cache/netaddr-rb-*/**

src/Gemfile

@@ -54,6 +54,7 @@ group :development, :test do
   gem 'rubocop-git'
 
   gem 'eventmachine', '~>1.3.0.dev.1', git: 'https://github.com/eventmachine/eventmachine', ref: 'abe34'
+  gem 'netaddr', '~>1.5.3.dev.1', git: 'https://github.com/dspinhirne/netaddr-rb', tag: '1.5.3'
 
   # for director
   gem 'machinist', '~>1.0'

src/Gemfile.lock

@@ -1,3 +1,10 @@
+GIT
+  remote: https://github.com/dspinhirne/netaddr-rb
+  revision: c7a7de39b7e1126aef11821f98970db18582948b
+  tag: 1.5.3
+  specs:
+    netaddr (1.5.3)
+
 GIT
   remote: https://github.com/eventmachine/eventmachine
   revision: abe347b824e36453f8a013fbe14323342a2ac8de
@@ -43,7 +50,7 @@ PATH
       logging (~> 2.2.2)
       membrane (~> 1.1.0)
       nats-pure (~> 0.6.2)
-      netaddr (~> 1.5.0)
+      netaddr (~> 1.5.3.dev.1)
       openssl
       prometheus-client (~> 1.0.0)
       puma
@@ -175,7 +182,6 @@ GEM
     mysql2 (0.5.3)
     nats-pure (0.6.2)
     net-ssh (5.2.0)
-    netaddr (1.5.1)
     netrc (0.11.0)
     nio4r (2.5.8)
     openssl (3.0.0)
@@ -318,6 +324,7 @@ DEPENDENCIES
   mysql2
   nats-pure (~> 0.6.2)
   net-ssh
+  netaddr (~> 1.5.3.dev.1)!
   openssl
   parallel_tests (~> 2.0)
   pg

src/bosh-director/bosh-director.gemspec

@@ -49,7 +49,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'membrane',         '~>1.1.0'
   spec.add_dependency 'nats-pure',        '~>0.6.2'
   spec.add_dependency 'openssl'
-  spec.add_dependency 'netaddr',          '~>1.5.0'
+  spec.add_dependency 'netaddr',          '~>1.5.3.dev.1'
   spec.add_dependency 'prometheus-client','~>1.0.0'
   spec.add_dependency 'puma'
   spec.add_dependency 'rack-test',        '~>0.6.2' # needed for console

src/vendor/cache/netaddr-rb-c7a7de39b7e1/Errors

@@ -0,0 +1,7 @@
+=Error Classes
+
+ +-Exception
+   +-StandardError
+     +-BoundaryError => CIDR or EUI is out of bounds for a valid address
+     +-ValidationError => CIDR or EUI failed validation checks
+     +-VersionError => CIDR or EUI is of improper version for requested operation

src/vendor/cache/netaddr-rb-c7a7de39b7e1/README.md

@@ -0,0 +1,9 @@
+# netaddr
+I originally created this package back in 2007 out of the need for a tool
+which I could use to track an inventory of constantly changing IP subnets.
+At the time, I was in the process of migrating away from Perl and towards Ruby
+as my primary scripting language. I have since migrated away from using Ruby so
+I have not made any major modifications to this code base since 2008 (aside from a 
+handful of bug fixes that others have pointed out).
+
+Dustin Spinhirne

src/vendor/cache/netaddr-rb-c7a7de39b7e1/changelog

@@ -0,0 +1,52 @@
+Version 1.5.2
+Changes:
+* bug fixes from: https://github.com/KirillSmirnov, https://github.com/rwhitworth, https://github.com/y13i
+
+Version 1.5.1
+Changes:
+* fixed bug with NetAddr#merge (credit to Daniel Boughton)
+
+
+Version 1.5.0
+Changes:
+* fixed bug with EUI48#to_eui64 (credit to Erik Kline)
+* fixed bug with u/l bit toggle on EUI#link_local (credit to Erik Kline)
+* added EUI#to_ipv6
+* added NetAddr#supernets
+
+
+Version 1.4.0
+Changes:
+* Added additional options to NetAddr#sort
+
+
+Version 1.3.0
+New Features:
+* added CIDR#[]
+* added CIDR#succ (CIDR objects may now be used as args for the standard Ruby Range class)
+* added CIDR#allocate_rfc3531
+* added CIDR#to_i
+* added CIDRv6.unique_local
+* added EUI48#to_eui64
+* added EUI#to_i
+* added EUI#to_s
+
+Changes:
+* deprecated 'packed' methods
+
+
+Version 1.2.0
+Changes:
+* CIDRv4#new and CIDRv6#new methods have been changed for the sake of speed improvements.
+  Please use the CIDR#create method instead.
+* changes to CIDR#wildcard_mask
+* bug fix with validate_eui method
+* bug fix with validate_ip_addr
+* bug fix and *vast* simplification of NetAddr.merge
+
+
+New Features:
+* speed improvements
+* added CIDR#set_wildcard_mask
+* added <=>, >, <, == methods to CIDR
+* NetAddr.merge now reports which CIDR addresses were used to create new summary addresses