search

lawrencepit / ruby-saml-idp

SAML Identity Provider library in ruby
MIT License
137 stars 102 forks source link

SECURITY: Update ruby-saml gem dependency to 1.7 to patch new SAML vulnerability #28

Closed ranierorusso closed 6 years ago

ranierorusso commented 6 years ago

OneLogin just alerted its users to a new SAML vulnerability. They have already patched their ruby-saml gem in version 1.7 and this gem should now be referencing that version (https://github.com/lawrencepit/ruby-saml-idp/blob/728fd8b579c567404b6f76ca8583445000f5b234/ruby-saml-idp.gemspec#L30).

Here's the patch in onelogin/ruby-saml: https://github.com/onelogin/ruby-saml/commit/048a544730930f86e46804387a6b6fad50d8176f

I can open a PR for this change if you'd like but hopefully this can get patched as soon as possible!

Thank you.

uberspot commented 6 years ago

+1 👍
This should be updated asap.

lawrencepit commented 6 years ago

This gem does not have a dependency on the ruby-saml gem, only a development dependency to run the tests.

lawrencepit commented 6 years ago

Pushed v0.3.5