rubyzip 1.2.1 dependency is shown to have security vulnerabilities. #599
Labels
Done in caxlsx
This has already been solved in the caxlsx fork.
Comments
waterjump
added a commit
to mes/axlsx
that referenced
this issue
Sep 7, 2018
The rubyzip gem version 1.2.1 contains a security vulnerability allowing absolute path traversal. More details can be found here: rubyzip/rubyzip#369 This change addresses the issue by specifying a rubyzip version greater than or equal to 1.2.2. Solves issue randym#599
|
Rubyzip is now released at 1.2.2 on Rubygems.org which resolves this vulnerability, according to bundler audit. |
|
See #536. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To follow up on this issue, rubyzip 1.2.1 is now also shown to have security vulnerabilities. See details here: rubyzip/rubyzip#369
Solution: Disable rubyzip or apply a patch whenever one becomes available.
The text was updated successfully, but these errors were encountered: