Skip to content

Lock to rack-cors 2.0.0 to avoid problem with rack-cors 2.0.1#10173

Merged
charleyf merged 2 commits intomainfrom
charley/rack-cors
Feb 28, 2024
Merged

Lock to rack-cors 2.0.0 to avoid problem with rack-cors 2.0.1#10173
charleyf merged 2 commits intomainfrom
charley/rack-cors

Conversation

@charleyf
Copy link
Contributor

@charleyf charleyf commented Feb 28, 2024
edited
Loading

🛠 Summary of changes

Right now all lint tasks are failing in main because there's a newly reported file permission vulnerability in rack-cors (link) version 2.0.1 (latest). This PR addresses that by locking our version to 2.0.0, the latest version of rack-cors without this vulnerability (link).

Presumably we'll be able to use 2.0.1 again once they've patched the problem.

The error:

--- bundler-audit ---
bundle exec bundler-audit check --update
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
  advisories:   875 advisories
  last updated: 2024-02-27 14:25:50 -0800
  commit:       1c7d5b5233d4c1ace4b6141bb949a2d54028d18e
Name: rack-cors
Version: 2.0.1
CVE: CVE-2024-27456
GHSA: GHSA-785g-282q-pwvx
Criticality: Unknown
URL: https://github.com/advisories/GHSA-785g-282q-pwvx
Title: Rack CORS Middleware has Insecure File Permissions
Solution: remove or disable this gem until a patch is available!

Vulnerabilities found!
make: *** [lint] Error 1

📜 Testing Plan

  • Run make lint in main notice the failure.
  • Run make lint in this branch, the failure is gone.

@charleyf charleyf changed the title Mitigate Permissions Concern in rack-cors by Locking Version Mitigate Vulnerability in rack-cors 2.0.1 by Locking Version to rack-cors 2.0.0` Feb 28, 2024
@charleyf charleyf changed the title Mitigate Vulnerability in rack-cors 2.0.1 by Locking Version to rack-cors 2.0.0` Mitigate Vulnerability in rack-cors 2.0.1 by Locking Version to rack-cors 2.0.0 Feb 28, 2024
@charleyf charleyf changed the title Mitigate Vulnerability in rack-cors 2.0.1 by Locking Version to rack-cors 2.0.0 Lock to rack-cors 2.0.0 to avoid problem with rack-cors 2.0.1 Feb 28, 2024
@charleyf charleyf merged commit 47713e1 into main Feb 28, 2024
@charleyf charleyf deleted the charley/rack-cors branch February 28, 2024 18:39
jmax-gsa pushed a commit that referenced this pull request Feb 28, 2024
@charleyf @jmax-gsa
Lock to rack-cors 2.0.0 to avoid problem with rack-cors 2.0.1 (#1…
4c7aede 
…0173)

* Mitigate permissions concern in rack-cors by locking version

* changelog: Internal, Dependencies, Lock rack-cors to version 2.0.0 to avoid vulnerability in version 2.0.1
@charleyf charleyf mentioned this pull request Feb 29, 2024
Closed
@jmdembe jmdembe mentioned this pull request Feb 29, 2024
Merged
@charleyf charleyf mentioned this pull request Mar 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mitchellhenke mitchellhenke mitchellhenke approved these changes

@zachmargolis zachmargolis Awaiting requested review from zachmargolis

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@charleyf @mitchellhenke