CVE-2018-1000211 doorkeeper v4.2 update to v4.4 not possible

antek-drzewiecki / wine_bouncer

A Ruby gem that allows Oauth2 protection with Doorkeeper for Grape Api's

MIT License

112 stars 58 forks source link

CVE-2018-1000211 doorkeeper v4.2 update to v4.4 not possible #73

Closed essalorz closed 6 years ago

essalorz commented 6 years ago

Hi, Given that CVE-2018-1000211 recommends updating doorkeeper to v4.4.x, but wine_bouncer accepts only a version strictly lower than 4.3, thus doorkeeper is kept at v4.2.x, which is vulnerable https://nvd.nist.gov/vuln/detail/CVE-2018-1000211

Quote Github advisory message: "Known high severity security vulnerability detected in doorkeeper >= 4.2.0, < 4.4.0 defined in Gemfile.lock.-- Gemfile.lock update suggested: doorkeeper ~> 4.4.0."

antek-drzewiecki commented 6 years ago

Expect the new version to be released tomorrow.

essalorz commented 6 years ago

Thank you

antek-drzewiecki commented 6 years ago

New version is released, happy upgrading :+1: