search

SOBotics / Redunda

Status monitoring for SOBotics' bots
https://redunda.sobotics.org/
Creative Commons Zero v1.0 Universal
7 stars 5 forks source link

Potential Security Vulnerabilities in Redunda #49

Closed Bhargav-Rao closed 6 years ago

Bhargav-Rao commented 6 years ago

Received a mail, a couple of days back regarding secy vulnerabilities and seems like 2 dependencies of Redunda are creating a small problem. The suggested fix is:

Gemfile.lock update suggested: nokogiri ~> 1.8.1.

Gemfile.lock update suggested: loofah ~> 2.2.1.

double-fault commented 6 years ago

If there is a possibility of a security vulnerability, wouldn't it be better if you sent an email to the maintainers (Art and Undo?) instead of posting it here? A person could take advantage of the vulnerability (if there is one).

Bhargav-Rao commented 6 years ago

Hmm, actually I am not even sure if there's a need of a mail. There's a huge banner, atleast for me, when I visit the repo, telling that there is an issue.

ArtOfCode- commented 6 years ago

Repository admins get security alert banners like that, but emails are still useful - they may not get seen that quickly. These are the same vulnerabilities that were in metasmoke, those Gemfile updates fixed them.

Bhargav-Rao commented 6 years ago

@Fortunate-MAN can you look into this issue as well? As this's also related to ruby, I think.

The issue is still present. There's more secy vulnerabilities in the present mail.

double-fault commented 6 years ago

@Bhargav-Rao on it.

double-fault commented 6 years ago

@Bhargav-Rao all done; it was just a matter of updating the Gemfile.

Bhargav-Rao commented 6 years ago

Perfect, thanks so much!