Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Bug #45

Closed
balasankarc opened this issue Sep 10, 2015 · 8 comments
Closed

Security Bug #45

balasankarc opened this issue Sep 10, 2015 · 8 comments

Comments

@balasankarc
Copy link

Hi,
Can you take a look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798466 ?

@bsedat
Copy link
Contributor

bsedat commented Sep 10, 2015

Hi! I'm not sure what there is for us to do here...

@bsedat
Copy link
Contributor

bsedat commented Sep 10, 2015

Awaiting #43 I guess?

@balasankarc
Copy link
Author

Ah. You already have a PR regarding this? As I am the co-maintainer of the debian package, I forwarded the bug to the upstream (here). Sorry for the redundancy. :)

I just saw that @f3ndot was the guy who actually requested that CVE. ;)

@bsedat
Copy link
Contributor

bsedat commented Sep 10, 2015

No problem, thanks for the update! We'll push out a new release once the PR is done.

@borski
Copy link
Contributor

borski commented Sep 10, 2015

@balasankarc, I noticed that you marked the severity as 'grave,' which it probably shouldn't be. While a valid security issue, this is a very narrow vulnerability, as described by @f3ndot himself. :)

@balasankarc
Copy link
Author

Ah. It wasn't me who filed that bug (and marked it grave). The guy marked that is part of Debian Seciruty team I believe. Anyway, that is not big a deal right now as we are not looking for another Debian release anytime soon. Once that PR gets done, we can close that bug. Till then it is highly unlikely to affect anybody.

I packaged the gem for the on going GitLab packaging and I am pretty sure no one is affected by it having a grave severity. :)

@f3ndot
Copy link
Contributor

f3ndot commented Sep 17, 2015

@balasankarc fix is merged & released in 2.0.0 and the issue has been assigned CVE-2015-7225, OSVDB pending.

@balasankarc
Copy link
Author

Thanks. I've updated the Debian package. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants