Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update rubyzip #1766

Merged
merged 1 commit into from
Sep 12, 2018
Merged

update rubyzip #1766

merged 1 commit into from
Sep 12, 2018

Conversation

rhass
Copy link
Contributor

@rhass rhass commented Sep 11, 2018

Appease CVE check that finds CVE-2017-5946:

The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.

rubyzip is brought into Supermarket as a dependency of license_finder, which is only present in a development environment. This CVE does not apply to the public Supermarket or to onprem installs using the Supermarket omnibus package.

This mitigates
[CVE-2017-5946](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5946).

Signed-off-by: Ryan Hass <rhass@users.noreply.github.com>
@rhass rhass requested a review from a team September 11, 2018 23:25
@robbkidd
Copy link
Contributor

This also updates all gem deps to the latest releases available.

That's a bold strategy, Cotton. 😉

I can dig into why the supermarket test is trying to load puma. We're unicorns around here.

@robbkidd robbkidd changed the title Update gem dependencies update rubyzip Sep 12, 2018
Copy link
Contributor

@robbkidd robbkidd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high five

@robbkidd robbkidd merged commit 09fddda into master Sep 12, 2018
@robbkidd robbkidd deleted the rhass/update-rubyzip branch September 12, 2018 19:05
@tas50 tas50 added Aspect: Security Can an unwanted third party affect the stability or look at privileged information? Type: Chore non-critical maintenance of a project. and removed Security labels Jan 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Aspect: Security Can an unwanted third party affect the stability or look at privileged information? Type: Chore non-critical maintenance of a project.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants