search

instructure / canvas-lms

The open LMS by Instructure, Inc.
https://github.com/instructure/canvas-lms/wiki
GNU Affero General Public License v3.0
5.57k stars 2.47k forks source link

installed Canvas-LMS via the docker method - causes reported 10.0 CVE with ruby-rack #2314

Closed jrm213 closed 6 months ago

jrm213 commented 7 months ago

Summary:

installed Canvas-LMS via the docker method on Ubuntu 20.04 - causes reported 10.0 CVE vulnerability against ruby-rack

Steps to reproduce:

  1. install canvas on Ubuntu 20.04 using docker method provided
  2. vulnerability scan

Expected behavior:

no critical or high CVE bugs introduced

Actual behavior:

critical vulnerability reported: https://ubuntu.com/security/notices/USN-5896-1

Additional notes:

Can ruby rack 3.? be used instead of 2.? without causing issues? If so can the docker container be updated to reflect it? If this is the wrong place to report/discuss this, I couldn't find anywhere else.

AverseABFun commented 7 months ago

I haven't done really anything with canvas, but I think you need to follow the security policy.

ccutrer commented 6 months ago

https://github.com/instructure/canvas-lms/commit/4faf94fda3128228ddb2c718db045c7c6ffd063c updates to the latest rack that addresses security issues. If you don't trust that Rack 2.2.8.1 properly addressed them, but 3.0.9.1 does, then you can enable Rails 7.1 support by doing echo 7.1 > config/RAILS_VERSION. Note that Rails 7.1 is not yet enabled by default, but as of the current master branch all tests are passing.