Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security update: ruby-git #1419

Merged
merged 4 commits into from Jan 29, 2023
Merged

Security update: ruby-git #1419

merged 4 commits into from Jan 29, 2023

Conversation

manicmaniac
Copy link
Member

@manicmaniac manicmaniac commented Jan 28, 2023
edited

Addresses https://nvd.nist.gov/vuln/detail/CVE-2022-47318

ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.

I think this issue doesn't affect on users in a regular use case.
But for someone who uses Danger and exposes internet-facing API that uses ruby-git, this PR could be helpful.

@orta
Copy link
Member

orta commented Jan 29, 2023

👍🏻

@orta orta merged commit 44fb49c into danger:master Jan 29, 2023
@mfechner
Copy link

@manicmaniac
Is there a special reason why it was set to 1.13.0 and not to 1.13, like it was before with 1.7?

@manicmaniac
Copy link
Member Author

@manicmaniac
Is there a special reason why it was set to 1.13.0 and not to 1.13, like it was before with 1.7?

I guess there is no special reason to do that.
Now I think it is better to set to 1.13.

@ainame ainame mentioned this pull request Apr 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@manicmaniac @orta @mfechner