Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update patched versions for mail gem vulnerability OSVDB-131677 #292

Merged
merged 1 commit into from
Jun 12, 2017
Merged

Update patched versions for mail gem vulnerability OSVDB-131677 #292

merged 1 commit into from
Jun 12, 2017

Conversation

cjlarose
Copy link
Contributor

See

mikel/mail#1097

and

https://hackerone.com/reports/137631

The vulnerability seems to have actually been addressed by versions 2.5.5 and 2.6.6. Please verify that my patched_versions specifiers reflect this correctly.

jeremy
jeremy reviewed Jun 10, 2017
View reviewed changes
gems/mail/OSVDB-131677.yml Outdated
@@ -16,4 +16,5 @@ description: |
Recipient Email Addresses." 2015. The attacks described in the paper (Terada,
p. 4) can be applied to the library without any modification.
patched_versions:
- ">= 2.6.0"
- "~> 2.5.5"
- ">= 2.6.6"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

>= 2.5.5 is sufficient. 2.6.0-4 are unaffected due to a coincidental side effect of a separate change.

@jeremy
Copy link
Contributor

jeremy commented Jun 10, 2017

References #215

@jeremyolliver
Copy link
Contributor

I don't think >= 2.5.5 as the only specifier is correct, given that 2.5.5 and 2.6.6 are the patched versions, as it would incorrectly mark 2.6.0 through to 2.6.5 as "fixed", but they don't include the patch. I think this would be more appropriate:

patched_versions:
- "~> 2.5.5"
- ">= 2.6.6"

@jeremy
Copy link
Contributor

jeremy commented Jun 12, 2017

@jeremyolliver 2.6.0+ do not include the explicit fix, but they are unaffected due to a coincidental side effect of a different change. So >= 2.5.5 does cover the versions which are not vulnerable.

@phillmv
Copy link
Member

phillmv commented Jun 12, 2017

Excellent, thank you all very kindly.

@phillmv phillmv merged commit 243d916 into rubysec:master Jun 12, 2017
@jeremy jeremy mentioned this pull request Jun 13, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeremy jeremy jeremy left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cjlarose @jeremy @jeremyolliver @phillmv