Closed MarkusGnigler closed 7 months ago
Please do not use GitHub issues to report vulnerabilities. Instead follow our vulnerability reporting procedure: SECURITY.md
. Many of these are not applicable to the project, simply due to the fact that the vulnerable code is not used. Please only report vulnerabilities that can manifest in the project.
It was more a question of whether it was possible to update the libraries, not a concrete vulnerability.
The question remains, is it possible to update at least the libraries with a critical CVE?
Thanks for your quick replay!
Yes. You can build the Dockerfile yourself to pull in the latest dependencies (but understand the risks associated with running edge software). We follow a semiannual release schedule for our self-hosted API, and security updates of dependencies are included in those releases every 6 months.
Thanks for the hint. I guess i can wait for a new release.
Just for my understanding: I'm not sure if this is fixable in the dockerfile. Are the library versions not be defined in the gem file?
Please report these to security@keygen.sh and we can continue discussion there.
Removed for violating project security policy.