Skip to content

Address security vulnerability in rubyzip dependency #602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Address security vulnerability in rubyzip dependency #602

wants to merge 1 commit into from

Conversation

@waterjump
Copy link

@waterjump waterjump commented Sep 7, 2018

The rubyzip gem version 1.2.1 contains a security vulnerability allowing
absolute path traversal. More details can be found here:

rubyzip/rubyzip#369

This change addresses the issue by specifying a rubyzip version greater
than or equal to 1.2.2.

Solves issue #599

@waterjump
Address security vulnerability in rubyzip dependency
6b27a57 
The rubyzip gem version 1.2.1 contains a security vulnerability allowing
absolute path traversal.  More details can be found here:

rubyzip/rubyzip#369

This change addresses the issue by specifying a rubyzip version greater
than or equal to 1.2.2.

Solves issue randym#599
@why-el
Copy link

why-el commented Sep 11, 2018

@waterjump any chance you release a new version with this change? It's a pretty serious one.

@waterjump
Copy link
Author

waterjump commented Sep 11, 2018

@why-el Seems like bumping it to 3.0.1 would be a good idea. I'd like to confirm with the gem owner because people tend to do this differently from time to time and there's nothing in the README about contribution guidelines etc.

@why-el
Copy link

why-el commented Sep 11, 2018

Ok, thanks the prompt response. Up to @randym then.

@noniq
Copy link
Collaborator

noniq commented Sep 11, 2018

See also #536

@sullyvannunes
Copy link

sullyvannunes commented Oct 5, 2018

I am facing this same problem with rubyzip version.
is there any update about this issue?

@courtsimas
Copy link

courtsimas commented Oct 7, 2018

Ping. What's the latest?

@waterjump
Copy link
Author

waterjump commented Oct 8, 2018

@courtsimas We are waiting on feedback from @randym regarding version bump.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@waterjump @why-el @noniq @sullyvannunes @courtsimas