Skip to content

Allow Rails 4.1.15+ for 4.1.14.1 and 4.1.14.2 CVEs #248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 9, 2016
Merged

Allow Rails 4.1.15+ for 4.1.14.1 and 4.1.14.2 CVEs #248

merged 1 commit into from
Mar 9, 2016

Conversation

matt-glover
Copy link
Contributor

Related to #245 but this is for the 4.1 line.

The old version constraint considered version 4.1.15 vulnerable to security issues patched in 4.1.14.1 or 4.1.14.2. Changed it to treat everything newer than 4.1.14 in the 4.1 line as patched.

@matt-glover
Allow Rails 4.1.15+ for 4.1.14.1 and 4.1.14.2 CVEs
841aa0e 
Prior version constraint considered version 4.1.15 vulnerable to
security issues patched in 4.1.14.1 or 4.1.14.2. Changed to treat
everything newer than 4.1.14 in the 4.1 line as patched.
matt-glover
matt-glover reviewed Mar 9, 2016
View reviewed changes
gems/actionpack/CVE-2015-7576.yml
- "~> 5.0.0.beta1.1"
- "~> 4.2.5.1"
- "~> 4.1.14.1"
- "~> 4.1.14, >= 4.1.14.1"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am assuming this is the correct syntax for a two-part constraint based on previous use here. A test run of bundler-audit seemed happy with the syntax.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matt-glover yep! bundler-audit splits by ,.

reedloden added a commit that referenced this pull request Mar 9, 2016
@reedloden
Merge pull request #248 from matt-glover/version-constraints-4-1-line
00a43d0 
Allow Rails 4.1.15+ for 4.1.14.1 and 4.1.14.2 CVEs
@reedloden reedloden merged commit 00a43d0 into rubysec:master Mar 9, 2016
@reedloden reedloden mentioned this pull request Mar 9, 2016
Merged
@matt-glover matt-glover deleted the version-constraints-4-1-line branch March 9, 2016 23:15
dcarral pushed a commit to dcarral/ruby-advisory-db that referenced this pull request Mar 10, 2016
Allow Rails 4.2.6+ for 4.2.5.1 and 4.2.5.2 CVEs
c36af8e 
Fix rubysec#244 using the two-part constraint syntax applied in rubysec#248
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@matt-glover @postmodern @reedloden