-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated: Bump rest-client to 1.8.0 #256
Conversation
👍 on this issue. |
No traction on this one? Seems quite important. |
I feel that developers aren't quite keeping up with development of this RubyGem and this needs to be merged soon. |
The gemfiles you changed are just local overrides when using the gem from its own repo (e.g., for running tests). These overrides exist specifically for compatibility when running tests with older versions of Ruby. The actual dependency for the gem itself is in |
Updated the gemspec and hope it doesn't break this build. |
Sorry, I may not have been clear -- the gemspec doesn't need to be updated either. Anyone adding this gem to a project will already get the latest 1.x version of rest-client by default. We are still compatbile with rest-client 1.4, so we're not going to change the lower bound. |
So @russelldavis is saying that if you installed this gem into a new project at this point, the rest-client dependency would use a rest-client version that no longer has the vulnerability. If you have an existing project with the gem, you can simply bump the rest-client version yourself to override. Is that correct @russelldavis? |
Yep, that's correct. |
Perfect @russelldavis, I think that should close this issue if everyone else is happy? |
After some further investigation, there is no newer version than 1.8.0 which still has the vulnerability. |
@jaymiejones86 can you clarify? What's the problem w/ using 1.7.3 or 1.8.x? |
@russelldavis 1.7.3, 1.8.0 (latest) all have the vulnerability, so bundle-audit says. I went quite far back in the various versions for rest-client and still encountered the vulnerability. |
Not sure what bundle-audit is doing, but I think it must be wrong. Here's the fix: rest-client/rest-client@a8b3f3c You can see from the tags it exists in |
Hmmm OSVDB still states that it is vulnerable but does say:
So I would assume that 1.8.0 is good to use, happy for this issue to be closed as that commit fixes those tagged versions of the rest-client gem. |
Thanks, closing. |
In rest-client/rest-client#349, there was a security vulnerability that allows developers to see password logs in plain text into the console. This problem solves in 1.7.3. I preferred to update this gem to it's latest version to fix this critical problem.
This also now requires to have Ruby 1.9.2 on board despite the first build failed miserably. Ruby 1.8.7 fails because it requires
mime-types
on Ruby 1.9.2. So, that is now eliminated from RVM builds in Travis.Additional resources:
rest-client/rest-client#352
CVE-2015-3448
Edit: I rebased it for easier commit reading and quality. Although, this needs to merge soon in the feature.