You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I came across GHSA-qrgf-jqqm-x7xv which I think has incorrect information but would like to get that confirmed before I submit a change.
The details say "lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem 0.8.2 for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors."
Firstly, there is a fog-dragonfly gem that has versions 0.8.1 & 0.8.2 published; it looks the same as the dragonfly gem and links to this repository so I'm guessing it was mistakenly published under that name? If that is the case would it worth yanking the fog-dragonfly gem completely to avoid confusion?
Secondly, I can't find any reference to that specific CVE but the history mentions a few security changes in versions 0.8.4 and 0.8.5, followed by a refactor of the ImageMagick processors in v0.9.0. Am I right in thinking this should now be resolved at least in versions beyond v1?
The text was updated successfully, but these errors were encountered:
Hi there - correct I didn't publish fog-dragonfly so don't have control over that (and am not sure why that's there to be honest it does look like a republish of a 10-year old version of dragonfly).
These security problems are resolved yes https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dragonfly+gem and you should use the latest version (1.4) - cheers
I came across GHSA-qrgf-jqqm-x7xv which I think has incorrect information but would like to get that confirmed before I submit a change.
The details say "lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem 0.8.2 for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors."
Firstly, there is a
fog-dragonfly
gem that has versions 0.8.1 & 0.8.2 published; it looks the same as thedragonfly
gem and links to this repository so I'm guessing it was mistakenly published under that name? If that is the case would it worth yanking thefog-dragonfly
gem completely to avoid confusion?Secondly, I can't find any reference to that specific CVE but the history mentions a few security changes in versions 0.8.4 and 0.8.5, followed by a refactor of the ImageMagick processors in v0.9.0. Am I right in thinking this should now be resolved at least in versions beyond v1?
The text was updated successfully, but these errors were encountered: