Skip to content

[Security] Bump rubyzip from 1.2.1 to 1.2.2 #415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 4, 2018
Merged

[Security] Bump rubyzip from 1.2.1 to 1.2.2 #415

merged 1 commit into from
Sep 4, 2018

Conversation

greysteil
Copy link

Bumps rubyzip from 1.2.1 to 1.2.2. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Directory Traversal in rubyzip
rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability
in Zip::File component that can result in write arbitrary files to the filesystem.
If a site allows uploading of .zip files, an attacker can upload a malicious file
which contains symlinks or files with absolute pathnames "../" to write arbitrary
files to the filesystem.

Patched versions: >= 1.2.2
Unaffected versions: none

Commits
  • d07b13a Merge pull request #376 from jdleesmiller/fix-cve-2018-1000544
  • fd81bd5 Bump version to 1.2.2
  • cf35774 Bump version to 1.3.0
  • ffb374c Bump version to 2.0.0
  • 8a1de58 Expand from root rather than current working directory
  • 3dd165b Disable symlinks and check for path traversal
  • ffebfa3 Consolidate path traversal tests
  • 9c468f3 Add jwilk's path traversal tests
  • 0586329 Trigger CI again
  • cf71583 Move jruby to allow failures matrix till crc uint 32 issues are resolved
  • Additional commits viewable in compare view

Dependabot compatibility score

@dependabot-support
[Security] Bump rubyzip from 1.2.1 to 1.2.2
1e816a3 
Bumps [rubyzip](https://github.com/rubyzip/rubyzip) from 1.2.1 to 1.2.2. **This update includes security fixes.**
- [Release notes](https://github.com/rubyzip/rubyzip/releases)
- [Changelog](https://github.com/rubyzip/rubyzip/blob/master/Changelog.md)
- [Commits](rubyzip/rubyzip@v1.2.1...v1.2.2)

Signed-off-by: dependabot[bot] <support@dependabot.com>
@greysteil
Copy link
Author

@enricostano - did you have a chance to check out Dependabot? A left a comment here on its open source status - it's not perfect but I do what I can.

@greysteil
Copy link
Author

greysteil commented Aug 31, 2018
edited
Loading

(I'm don't think that TimeOverflow is affected by this vulnerability, as rubyzip is only used as a sub-dependency of a development dependency here, but still probably a good idea to patch.)

@sauloperez sauloperez merged commit 6d0923a into coopdevs:develop Sep 4, 2018
@sauloperez sauloperez mentioned this pull request Sep 20, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markets markets markets approved these changes

@sauloperez sauloperez sauloperez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@greysteil @markets @sauloperez @dependabot-support