Slate docs uses insecure version of kramdown gem

slatedocs / slate

Beautiful static documentation for your API

https://slatedocs.github.io/slate

Apache License 2.0

36.06k stars 164 forks source link

Slate docs uses insecure version of kramdown gem #1303

Closed elloboblanco closed 4 years ago

elloboblanco commented 4 years ago

Bug Description Slate repo suffers from CVE-2020-14001: Unintended read access in kramdown gem

This Slate repo uses kramdown 1.17 and the Middleman gem in this library uses kramdown 1.2. Please patch this vulnerability by updating kramdown and middleman gems in the Slate repo.

Middleman has patched their vulnerability in this commit https://github.com/middleman/middleman/commit/d7f0ed06d3bf10bd8bb7f9abfda87fcdfbb3c363

MasterOdin commented 4 years ago

I've opened a PR to update middleman within slate, and to cut a new 2.7.1 release with that change, in lieu of waiting for the 2.8.0 release, if just to help people avoid the big yellow warning bar that will show up at the top of a repo.

However, it should be noted that slate does not use kramdown for parsing out of the box, rather it utilizes the redcarpet library, and so the vast majority of current users are probably unaffected (like TSheetsTeam/api_docs).

MasterOdin commented 4 years ago

2.7.1 released, and the security notice from GH is no more.