New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] release updated version of padrino-mailer which requires mail ~> 2.4.4 or higher #1083

Closed
postmodern opened this Issue Feb 26, 2013 · 10 comments

Comments

Projects
None yet
4 participants
@postmodern
Contributor

postmodern commented Feb 26, 2013

padrino-mailer is locked to mail ~> 2.3.0. Versions below 2.4.4 of the mail gem are vulnerable to CVE-2012-2139 and CVE-2012-2140.

@ghost ghost assigned DAddYE Feb 27, 2013

@DAddYE

This comment has been minimized.

Show comment
Hide comment
@DAddYE

DAddYE Feb 27, 2013

Member

Thanks man! I'll take care of it

Member

DAddYE commented Feb 27, 2013

Thanks man! I'll take care of it

@postmodern

This comment has been minimized.

Show comment
Hide comment
@postmodern

postmodern Feb 27, 2013

Contributor

Caught by bundler-audit :)

Contributor

postmodern commented Feb 27, 2013

Caught by bundler-audit :)

@hooopo

This comment has been minimized.

Show comment
Hide comment
@hooopo

hooopo Feb 27, 2013

Contributor

@postmodern Awesome!

Contributor

hooopo commented Feb 27, 2013

@postmodern Awesome!

@postmodern

This comment has been minimized.

Show comment
Hide comment
@postmodern

postmodern Feb 27, 2013

Contributor

I highly suggest using ~> X.Y dependencies, otherwise you'll constantly have to bump the version requirements. Also you can specify multiple version requirements:

s.add_dependency 'mail', '~> 2.4', '>= 2.4.4'
Contributor

postmodern commented Feb 27, 2013

I highly suggest using ~> X.Y dependencies, otherwise you'll constantly have to bump the version requirements. Also you can specify multiple version requirements:

s.add_dependency 'mail', '~> 2.4', '>= 2.4.4'
@DAddYE

This comment has been minimized.

Show comment
Hide comment
@DAddYE

DAddYE Feb 27, 2013

Member

Thanks @postmodern starred ;) I've tried to use >= but several times minor version bump breaks compatibility. So I start to lock on patch-level since my hope was that is enough to fix security problems ...

Member

DAddYE commented Feb 27, 2013

Thanks @postmodern starred ;) I've tried to use >= but several times minor version bump breaks compatibility. So I start to lock on patch-level since my hope was that is enough to fix security problems ...

@nesquena

This comment has been minimized.

Show comment
Hide comment
@nesquena

nesquena Mar 10, 2013

Member

Alright, the dependency for mail was fixed. Going to close this, glad we got that updated.

Member

nesquena commented Mar 10, 2013

Alright, the dependency for mail was fixed. Going to close this, glad we got that updated.

@nesquena nesquena closed this Mar 10, 2013

@postmodern

This comment has been minimized.

Show comment
Hide comment
@postmodern

postmodern Mar 10, 2013

Contributor

Will there be a patch-level release or is the Padrino team aiming for 1.0.0?

Contributor

postmodern commented Mar 10, 2013

Will there be a patch-level release or is the Padrino team aiming for 1.0.0?

@postmodern

This comment has been minimized.

Show comment
Hide comment
@postmodern

postmodern Mar 10, 2013

Contributor

Ah nevermind, looks like you are targeting 0.11.0.

Contributor

postmodern commented Mar 10, 2013

Ah nevermind, looks like you are targeting 0.11.0.

@nesquena

This comment has been minimized.

Show comment
Hide comment
@nesquena

nesquena Mar 10, 2013

Member

We are aiming right now for 0.11.0. I know we are not currently following semver perfectly but that will improve when we hit 1.0. Right now a 0.X.0 means is reserved for substantial or breaking releases.

Member

nesquena commented Mar 10, 2013

We are aiming right now for 0.11.0. I know we are not currently following semver perfectly but that will improve when we hit 1.0. Right now a 0.X.0 means is reserved for substantial or breaking releases.

@nesquena

This comment has been minimized.

Show comment
Hide comment
@nesquena

nesquena Mar 11, 2013

Member

In my mind I see the roadmap as 0.11.0, 0.11.X and then a 0.12.X series which will be the bridge towards our 1.0 prerelease. Obviously open to discussion, but that's how I am currently hoping to see it play out. We have come a long way in 0.11.0 (probably too far without a release). I am updating the changelog and preparing a blog post for it now.

Member

nesquena commented Mar 11, 2013

In my mind I see the roadmap as 0.11.0, 0.11.X and then a 0.12.X series which will be the bridge towards our 1.0 prerelease. Obviously open to discussion, but that's how I am currently hoping to see it play out. We have come a long way in 0.11.0 (probably too far without a release). I am updating the changelog and preparing a blog post for it now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment