Closed milda-a closed 4 months ago
Hey, thanks for raising.
Unfortunately openssl 3.1.0 gem is a default gem installed with Ruby so we would need a 3.2.4 release of Ruby containing the updated default gem
https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
Same news for 3.3.0 - as it contains openssl 3.2.0 default gem.
You may wish to raise a separate issue upstream with the ruby team, if one hasn't already been raised. Once a release is out, we can package it with traveling-ruby and consume it in this project.
I've updated the rack gem. We would need to check the upstream pact ruby project's rack deps, update and test if required, before we can unpin from v2.x in pact-ruby-standalone
You may want to raise a separate issue to track the openssl issue, as this one will be closed with the rack release.
Pre issue-raising checklist
I have already (please mark the applicable with an
x
):Software versions
Expected behaviour
Vulnerabilities fixed by updating the used rack version. Current version: 2.2.8 Versions with fix: 2.2.8.1, 3.0.9.1 Vulnerabilities fixed by updating the used openssl version. Current version 3.1.0 Versions with fix: 3.1.5, 3.2.1
Actual behaviour
High vulnerabilities raised in /home/builder/deps/pact/lib/vendor/ruby/3.2.0/specifications/rack-2.2.8.gemspec Warn vulnerabilities raised in /home/builder/deps/pact/lib/ruby/lib/ruby/gems/3.2.0/specifications/default/openssl-3.1.0.gemspec
Steps to reproduce
Run software as normal. Vulnerabilities spotted through internal image scanning which includes the pact standalone binaries.