Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHSA Add unaffected_versions to CVE-2024-27456 #755

Merged
merged 2 commits into from
Feb 27, 2024
Merged

GHSA Add unaffected_versions to CVE-2024-27456 #755

merged 2 commits into from
Feb 27, 2024

Conversation

Cdestewart
Copy link
Contributor

Updated the advisory for CVE-2024-27456 to include the unaffected versions.

@Kilomaster3
Copy link

@postmodern could you please check this PR?

@jlw
Copy link

jlw commented Feb 27, 2024

From my reading of cyu/rack-cors#274 this change is also not correct. The unaffected versions should be everything before 2.0.1 - v 2.0.0 should not be counted as affected.

@aprescott aprescott mentioned this pull request Feb 27, 2024
Merged
postmodern
postmodern approved these changes Feb 27, 2024
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Manually confirmed that only rack-cors 2.0.1 is effected.

$ gem fetch rack-cors -v 2.0.0
$ tar xvf rack-cors-2.0.0.gem
$ tar tzvf data.tar.gz
-rw-rw-r-- wheel/wheel     540 2023-02-14 05:15 .rubocop.yml
-rw-rw-r-- wheel/wheel     152 2023-02-14 05:15 .travis.yml
-rw-rw-r-- wheel/wheel    2901 2023-02-14 05:15 CHANGELOG.md
-rw-rw-r-- wheel/wheel     155 2023-02-14 05:15 Gemfile
-rw-rw-r-- wheel/wheel    1066 2023-02-14 05:15 LICENSE.txt
-rw-rw-r-- wheel/wheel    8067 2023-02-14 05:15 README.md
-rw-rw-r-- wheel/wheel     494 2023-02-14 05:15 Rakefile
-rw-rw-r-- wheel/wheel    5808 2023-02-14 05:15 lib/rack/cors.rb
-rw-rw-r-- wheel/wheel    4365 2023-02-14 05:15 lib/rack/cors/resource.rb
-rw-rw-r-- wheel/wheel    1435 2023-02-14 05:15 lib/rack/cors/resources.rb
-rw-rw-r-- wheel/wheel     369 2023-02-14 05:15 lib/rack/cors/resources/cors_misconfiguration_error.rb
-rw-rw-r-- wheel/wheel    1424 2023-02-14 05:15 lib/rack/cors/result.rb
-rw-rw-r-- wheel/wheel      88 2023-02-14 05:15 lib/rack/cors/version.rb
-rw-rw-r-- wheel/wheel    1409 2023-02-14 05:15 rack-cors.gemspec
-rw-rw-r-- wheel/wheel     125 2023-02-14 05:15 test/.rubocop.yml
-rw-rw-r-- wheel/wheel   36547 2023-02-14 05:15 test/cors/expect.js
-rw-rw-r-- wheel/wheel    3819 2023-02-14 05:15 test/cors/mocha.css
-rw-rw-r-- wheel/wheel  111429 2023-02-14 05:15 test/cors/mocha.js
-rw-rw-r-- wheel/wheel     502 2023-02-14 05:15 test/cors/runner.html
-rw-rw-r-- wheel/wheel    1773 2023-02-14 05:15 test/cors/test.cors.coffee
-rw-rw-r-- wheel/wheel    2485 2023-02-14 05:15 test/cors/test.cors.js
-rw-rw-r-- wheel/wheel   17430 2023-02-14 05:15 test/unit/cors_test.rb
-rw-rw-r-- wheel/wheel    2541 2023-02-14 05:15 test/unit/dsl_test.rb
-rw-rw-r-- wheel/wheel     149 2023-02-14 05:15 test/unit/insecure.ru
-rw-rw-r-- wheel/wheel     144 2023-02-14 05:15 test/unit/non_http.ru
-rw-rw-r-- wheel/wheel    1815 2023-02-14 05:15 test/unit/test.ru
$ gem fetch rack-cors -v 2.0.1
$ tar xvf rack-cors-2.0.1.gem
$ tar tzvf data.tar.gz
-rw-rw-rw- wheel/wheel     744 2023-03-16 22:41 .github/workflows/ci.yaml
-rw-rw-rw- wheel/wheel     559 2023-03-16 22:41 .rubocop.yml
-rw-rw-rw- wheel/wheel    2992 2023-03-16 22:41 CHANGELOG.md
-rw-rw-rw- wheel/wheel     155 2023-03-16 22:41 Gemfile
-rw-rw-rw- wheel/wheel    1066 2023-03-16 22:41 LICENSE.txt
-rw-rw-rw- wheel/wheel    8087 2023-03-16 22:41 README.md
-rw-rw-rw- wheel/wheel     494 2023-03-16 22:41 Rakefile
-rw-rw-rw- wheel/wheel    5808 2023-03-16 22:41 lib/rack/cors.rb
-rw-rw-rw- wheel/wheel    4602 2023-03-16 22:41 lib/rack/cors/resource.rb
-rw-rw-rw- wheel/wheel    1435 2023-03-16 22:41 lib/rack/cors/resources.rb
-rw-rw-rw- wheel/wheel     369 2023-03-16 22:41 lib/rack/cors/resources/cors_misconfiguration_error.rb
-rw-rw-rw- wheel/wheel    1424 2023-03-16 22:41 lib/rack/cors/result.rb
-rw-rw-rw- wheel/wheel      88 2023-03-16 22:41 lib/rack/cors/version.rb
-rw-rw-rw- wheel/wheel    1409 2023-03-16 22:41 rack-cors.gemspec
-rw-rw-rw- wheel/wheel     125 2023-03-16 22:41 test/.rubocop.yml
-rw-rw-rw- wheel/wheel   36547 2023-03-16 22:41 test/cors/expect.js
-rw-rw-rw- wheel/wheel    3819 2023-03-16 22:41 test/cors/mocha.css
-rw-rw-rw- wheel/wheel  111429 2023-03-16 22:41 test/cors/mocha.js
-rw-rw-rw- wheel/wheel     502 2023-03-16 22:41 test/cors/runner.html
-rw-rw-rw- wheel/wheel    1773 2023-03-16 22:41 test/cors/test.cors.coffee
-rw-rw-rw- wheel/wheel    2485 2023-03-16 22:41 test/cors/test.cors.js
-rw-rw-rw- wheel/wheel   17430 2023-03-16 22:41 test/unit/cors_test.rb
-rw-rw-rw- wheel/wheel    2541 2023-03-16 22:41 test/unit/dsl_test.rb
-rw-rw-rw- wheel/wheel     149 2023-03-16 22:41 test/unit/insecure.ru
-rw-rw-rw- wheel/wheel     144 2023-03-16 22:41 test/unit/non_http.ru
-rw-rw-rw- wheel/wheel    1815 2023-03-16 22:41 test/unit/test.ru

@postmodern postmodern merged commit 1c7d5b5 into rubysec:master Feb 27, 2024
@larouxn larouxn mentioned this pull request Feb 27, 2024
Closed
@charleyf charleyf mentioned this pull request Feb 28, 2024
Merged
2 tasks
@Cdestewart Cdestewart deleted the ghsa-sync-cve-2024-27456 branch February 29, 2024 15:28
michelegera added a commit to michelegera/devexcuses-api that referenced this pull request Mar 3, 2024
@michelegera
Lock to rack-cors 2.0.0 to avoid problem with rack-cors 2.0.1
2d17809 
rubysec/ruby-advisory-db#755
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@postmodern postmodern postmodern approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Cdestewart @Kilomaster3 @jlw @postmodern