Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to rubyzip > 2.0.0 #19622

Closed
Fryguy opened this issue Dec 10, 2019 · 0 comments
Closed

Update to rubyzip > 2.0.0 #19622

Fryguy opened this issue Dec 10, 2019 · 0 comments
Assignees
@d-m-u
Labels
technical debt

Comments

@Fryguy
Copy link
Member

Fryguy commented Dec 10, 2019

We're currently using rubyzip 1.3.0 with "Zip.validate_entry_sizes = true" to address CVE-2019-16892.

To avoid possibly adding new code without "true" flag in the future (which will make us vulnerable again), rubyzip should be updated to 2.0.0 or later which sets the flag to true by default.

https://bugzilla.redhat.com/show_bug.cgi?id=1781195
@Fryguy Fryguy mentioned this issue Dec 11, 2019
Merged
d-m-u added a commit to d-m-u/manageiq that referenced this issue Dec 11, 2019
@d-m-u
Update rubyzip to 2.0.0
e346761 
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1781195
Fixes ManageIQ#19622
d-m-u added a commit to d-m-u/manageiq-automation_engine that referenced this issue Dec 11, 2019
@d-m-u
Update to 2.0.0
860a960 
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1781195
Fixes ManageIQ/manageiq#19622
d-m-u added a commit to d-m-u/manageiq that referenced this issue Dec 11, 2019
@d-m-u
Update rubyzip to 2.0.0
20e2601 
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1781195
Fixes ManageIQ#19622
d-m-u added a commit to d-m-u/manageiq that referenced this issue Dec 12, 2019
@d-m-u
Update rubyzip to 2.0.0
4889c8f 
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1781195
Fixes ManageIQ#19622
@d-m-u d-m-u mentioned this issue Dec 12, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@d-m-u d-m-u

Labels
technical debt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Fryguy @d-m-u