GHSA Add unaffected_versions to CVE-2024-27456#755
Merged
postmodern merged 2 commits intorubysec:masterfrom Feb 27, 2024
Merged
GHSA Add unaffected_versions to CVE-2024-27456#755postmodern merged 2 commits intorubysec:masterfrom
postmodern merged 2 commits intorubysec:masterfrom
Conversation
|
@postmodern could you please check this PR? |
|
From my reading of cyu/rack-cors#274 this change is also not correct. The unaffected versions should be everything before 2.0.1 - v 2.0.0 should not be counted as affected. |
postmodern
approved these changes
Feb 27, 2024
Member
postmodern
left a comment
postmodern
left a comment
There was a problem hiding this comment.
Manually confirmed that only rack-cors 2.0.1 is effected.
$ gem fetch rack-cors -v 2.0.0
$ tar xvf rack-cors-2.0.0.gem
$ tar tzvf data.tar.gz
-rw-rw-r-- wheel/wheel 540 2023-02-14 05:15 .rubocop.yml
-rw-rw-r-- wheel/wheel 152 2023-02-14 05:15 .travis.yml
-rw-rw-r-- wheel/wheel 2901 2023-02-14 05:15 CHANGELOG.md
-rw-rw-r-- wheel/wheel 155 2023-02-14 05:15 Gemfile
-rw-rw-r-- wheel/wheel 1066 2023-02-14 05:15 LICENSE.txt
-rw-rw-r-- wheel/wheel 8067 2023-02-14 05:15 README.md
-rw-rw-r-- wheel/wheel 494 2023-02-14 05:15 Rakefile
-rw-rw-r-- wheel/wheel 5808 2023-02-14 05:15 lib/rack/cors.rb
-rw-rw-r-- wheel/wheel 4365 2023-02-14 05:15 lib/rack/cors/resource.rb
-rw-rw-r-- wheel/wheel 1435 2023-02-14 05:15 lib/rack/cors/resources.rb
-rw-rw-r-- wheel/wheel 369 2023-02-14 05:15 lib/rack/cors/resources/cors_misconfiguration_error.rb
-rw-rw-r-- wheel/wheel 1424 2023-02-14 05:15 lib/rack/cors/result.rb
-rw-rw-r-- wheel/wheel 88 2023-02-14 05:15 lib/rack/cors/version.rb
-rw-rw-r-- wheel/wheel 1409 2023-02-14 05:15 rack-cors.gemspec
-rw-rw-r-- wheel/wheel 125 2023-02-14 05:15 test/.rubocop.yml
-rw-rw-r-- wheel/wheel 36547 2023-02-14 05:15 test/cors/expect.js
-rw-rw-r-- wheel/wheel 3819 2023-02-14 05:15 test/cors/mocha.css
-rw-rw-r-- wheel/wheel 111429 2023-02-14 05:15 test/cors/mocha.js
-rw-rw-r-- wheel/wheel 502 2023-02-14 05:15 test/cors/runner.html
-rw-rw-r-- wheel/wheel 1773 2023-02-14 05:15 test/cors/test.cors.coffee
-rw-rw-r-- wheel/wheel 2485 2023-02-14 05:15 test/cors/test.cors.js
-rw-rw-r-- wheel/wheel 17430 2023-02-14 05:15 test/unit/cors_test.rb
-rw-rw-r-- wheel/wheel 2541 2023-02-14 05:15 test/unit/dsl_test.rb
-rw-rw-r-- wheel/wheel 149 2023-02-14 05:15 test/unit/insecure.ru
-rw-rw-r-- wheel/wheel 144 2023-02-14 05:15 test/unit/non_http.ru
-rw-rw-r-- wheel/wheel 1815 2023-02-14 05:15 test/unit/test.ru
$ gem fetch rack-cors -v 2.0.1
$ tar xvf rack-cors-2.0.1.gem
$ tar tzvf data.tar.gz
-rw-rw-rw- wheel/wheel 744 2023-03-16 22:41 .github/workflows/ci.yaml
-rw-rw-rw- wheel/wheel 559 2023-03-16 22:41 .rubocop.yml
-rw-rw-rw- wheel/wheel 2992 2023-03-16 22:41 CHANGELOG.md
-rw-rw-rw- wheel/wheel 155 2023-03-16 22:41 Gemfile
-rw-rw-rw- wheel/wheel 1066 2023-03-16 22:41 LICENSE.txt
-rw-rw-rw- wheel/wheel 8087 2023-03-16 22:41 README.md
-rw-rw-rw- wheel/wheel 494 2023-03-16 22:41 Rakefile
-rw-rw-rw- wheel/wheel 5808 2023-03-16 22:41 lib/rack/cors.rb
-rw-rw-rw- wheel/wheel 4602 2023-03-16 22:41 lib/rack/cors/resource.rb
-rw-rw-rw- wheel/wheel 1435 2023-03-16 22:41 lib/rack/cors/resources.rb
-rw-rw-rw- wheel/wheel 369 2023-03-16 22:41 lib/rack/cors/resources/cors_misconfiguration_error.rb
-rw-rw-rw- wheel/wheel 1424 2023-03-16 22:41 lib/rack/cors/result.rb
-rw-rw-rw- wheel/wheel 88 2023-03-16 22:41 lib/rack/cors/version.rb
-rw-rw-rw- wheel/wheel 1409 2023-03-16 22:41 rack-cors.gemspec
-rw-rw-rw- wheel/wheel 125 2023-03-16 22:41 test/.rubocop.yml
-rw-rw-rw- wheel/wheel 36547 2023-03-16 22:41 test/cors/expect.js
-rw-rw-rw- wheel/wheel 3819 2023-03-16 22:41 test/cors/mocha.css
-rw-rw-rw- wheel/wheel 111429 2023-03-16 22:41 test/cors/mocha.js
-rw-rw-rw- wheel/wheel 502 2023-03-16 22:41 test/cors/runner.html
-rw-rw-rw- wheel/wheel 1773 2023-03-16 22:41 test/cors/test.cors.coffee
-rw-rw-rw- wheel/wheel 2485 2023-03-16 22:41 test/cors/test.cors.js
-rw-rw-rw- wheel/wheel 17430 2023-03-16 22:41 test/unit/cors_test.rb
-rw-rw-rw- wheel/wheel 2541 2023-03-16 22:41 test/unit/dsl_test.rb
-rw-rw-rw- wheel/wheel 149 2023-03-16 22:41 test/unit/insecure.ru
-rw-rw-rw- wheel/wheel 144 2023-03-16 22:41 test/unit/non_http.ru
-rw-rw-rw- wheel/wheel 1815 2023-03-16 22:41 test/unit/test.ru
2 tasks
michelegera
added a commit
to michelegera/devexcuses-api
that referenced
this pull request
Mar 3, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated the advisory for CVE-2024-27456 to include the unaffected versions.