Closed MarkusGnigler closed 7 months ago
ezekg
commented
7 months ago Please do not use GitHub issues to report vulnerabilities. Instead follow our vulnerability reporting procedure: SECURITY.md. Many of these are not applicable to the project, simply due to the fact that the vulnerable code is not used. Please only report vulnerabilities that can manifest in the project.
MarkusGnigler
commented
7 months ago It was more a question of whether it was possible to update the libraries, not a concrete vulnerability.
The question remains, is it possible to update at least the libraries with a critical CVE?
Thanks for your quick replay!
ezekg
commented
7 months ago Yes. You can build the Dockerfile yourself to pull in the latest dependencies (but understand the risks associated with running edge software). We follow a semiannual release schedule for our self-hosted API, and security updates of dependencies are included in those releases every 6 months.
MarkusGnigler
commented
7 months ago Thanks for the hint. I guess i can wait for a new release.
Just for my understanding: I'm not sure if this is fixable in the dockerfile. Are the library versions not be defined in the gem file?
ezekg
commented
7 months ago Please report these to security@keygen.sh and we can continue discussion there.
Removed for violating project security policy.