search

vmware-archive / cf-redis-release

BOSH release for a Cloud Foundry Redis service broker that supports shared-vm plans
https://bosh.io/releases/github.com/pivotal-cf/cf-redis-release
Apache License 2.0
19 stars 35 forks source link

[Security] Bump yard from 0.9.19 to 0.9.20 #108

Closed dependabot-preview[bot] closed 5 years ago

dependabot-preview[bot] commented 5 years ago

Bumps yard from 0.9.19 to 0.9.20. This update includes security fixes.

Vulnerabilities fixed *Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects yard** > ## Possible arbitrary path traversal and file access via `yard server` > > ### Impact > > A path traversal vulnerability was discovered in YARD <= 0.9.19 when using `yard server` to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. > > Thanks to CuongMX from Viettel Cyber Security for discovering this vulnerability. > > ### Patches > > Please upgrade to YARD v0.9.20 immediately if you are relying on yard server to host documentation in any untrusted environments. > > ### Workarounds > > For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via `yard server -s webrick`), as can certain rules in your webserver configuration. > > Affected versions: < 0.9.20
Release notes *Sourced from [yard's releases](https://github.com/lsegal/yard/releases).* > ## Release v0.9.20 > > [0.9.20]: https://github.com/lsegal/yard/compare/v0.9.19...v0.9.20 > > - Fix parsing of stringified Symbols in Ruby source ([#1256](https://github-redirect.dependabot.com/lsegal/yard/issues/1256)). > - Fix path traversal vulnerability in `yard server`. This bug would allow > unsanitized HTTP requests to access arbitrary files on the machine of a > `yard server` host under certain conditions. Thanks to CuongMX from > Viettel Cyber Security for discovering this vulnerability.
Changelog *Sourced from [yard's changelog](https://github.com/lsegal/yard/blob/master/CHANGELOG.md).* > # 0.9.20 - June 27th, 2019 > > [0.9.20]: https://github.com/lsegal/yard/compare/v0.9.19...v0.9.20 > > - Fix parsing of stringified Symbols in Ruby source ([#1256](https://github-redirect.dependabot.com/lsegal/yard/issues/1256)). > - Fix path traversal vulnerability in `yard server`. This bug would allow > unsanitized HTTP requests to access arbitrary files on the machine of a > `yard server` host under certain conditions. Thanks to CuongMX from > Viettel Cyber Security for discovering this vulnerability.
Commits - [`0320b89`](https://github.com/lsegal/yard/commit/0320b8918cd369385722694546286e6c4d341b07) Tag release v0.9.20 - [`da43056`](https://github.com/lsegal/yard/commit/da43056c43f5ea3567529b14ce55f93dc2e95418) Update changelog - [`01dc2e3`](https://github.com/lsegal/yard/commit/01dc2e31b33604c611cdb9b237ccdb61e873dc27) Add .rubocop.yml back for tooling support - [`9716717`](https://github.com/lsegal/yard/commit/9716717f75e49b6c109a8608701c5b47b4050db3) Fix tests for Ruby <2.6 - [`593973c`](https://github.com/lsegal/yard/commit/593973c2f27ede6cfa39d2f127d230b40fc9762a) Disable rubocop - [`225ded9`](https://github.com/lsegal/yard/commit/225ded9ef38c6d2be5a3b0fc7effbc7d6644768d) Fix parsing of dyna_symbol nodes - [`6d8b9b9`](https://github.com/lsegal/yard/commit/6d8b9b9c71e45fd1c887545b579399931dc2466e) Remove unnecessary debug line - See full diff in [compare view](https://github.com/lsegal/yard/compare/v0.9.19...v0.9.20)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it). To ignore the version in this PR you can just close it - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in the `.dependabot/config.yml` file in this repo: - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.
cf-gitbot commented 5 years ago

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.