Adding CVE patch for package logstash-8 to fix CVE: GHSA-hxx2-7vcw-mqr3

octo-sts[bot] · octo-sts[bot] · commit 8ba4a447da09 · 2025-03-25T19:45:03.000Z
diff --git a/logstash-8.yaml b/logstash-8.yaml
@@ -17,7 +17,7 @@
 package:
   name: logstash-8
   version: 8.15.3
-  epoch: 100
+  epoch: 101
   description: Logstash - transport and process your logs, events, or other data
   copyright:
     - license: Apache-2.0
@@ -75,6 +75,10 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 8364c8e89cfb113e38ec3f966df7eb1e9abe9d33
 
+  - uses: patch
+    with:
+      patches: GHSA-hxx2-7vcw-mqr3.patch
+
   - name: Patch sources
     runs: |
       # Disable the logstash-integration-jdbc plugin download as we build and
diff --git a/logstash-8/GHSA-hxx2-7vcw-mqr3.patch b/logstash-8/GHSA-hxx2-7vcw-mqr3.patch
@@ -0,0 +1,4 @@
+--- a/Gemfile.template
++++ b/Gemfile.template
+@@ -38,0 +39 @@
++gem "sinatra", "~> 4.1.0", :group => :development
