net-ldap version in gemspec

[MaximilianMeister]

is there any reason that the net-ldap version is pinned below 0.12? newest version upstream is already 0.16.0

once it got bumped but then more or less reverted and there was no real explanation in the commit message.

thanks for any hint

[botboe]

Same question here. net-ldap 0.11 seems to have some encoding issues, making it unusable in conjunction with my MS Active-Directory queries. An upgrade of the net-ldap dependency would be very important for me!

[kakoni]

Also with ruby 2.4.2 you start to get

ruby/2.4.2/gems/net-ldap-0.5.1/lib/net/ber/core_ext.rb:38: warning: constant ::Bignum is deprecated
ruby/2.4.2/gems/net-ldap-0.5.1/lib/net/ber/core_ext.rb:45: warning: constant ::Fixnum is deprecated

I did a test with updated net-ldap dependency s.add_dependency 'net-ldap', '>= 0.16.0' and 2.4.2

And atleast tests ( bundle exec rake spec) executed nicely, 46 examples, 0 failures

[jhanggi]

There is a security vulnerability in net-ldap less than 0.16.0. It appears that it is not doing SSL certificate validation. https://www.cvedetails.com/cve/CVE-2017-17718/

Github has begun displaying warnings for vulnerable dependencies, so I'm seeing it in one of my projects.

We found a potential security vulnerability in one of your dependencies. The net-ldap dependency defined in Gemfile.lock has a known moderate severity security vulnerability in version range < 0.16.0 and should be updated.

[kakoni]

Well here's a pr, https://github.com/cschiewek/devise_ldap_authenticatable/pull/243

[MaximilianMeister]

@cschiewek thanks for merging https://github.com/cschiewek/devise_ldap_authenticatable/pull/243

could you release a new version on rubygems.org ? then we can close this issue here

[cschiewek]

@MaximilianMeister Done!

[MaximilianMeister]

Done!

@cschiewek thanks a bunch

[jhanggi]

Thanks so much!