Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v3.4.4 security patch for v3.4.0? #322

Open
ywenc opened this issue Oct 28, 2022 · 1 comment
Open

v3.4.4 security patch for v3.4.0? #322

ywenc opened this issue Oct 28, 2022 · 1 comment

Comments

@ywenc
Copy link

ywenc commented Oct 28, 2022

Hello!

Looks like v3.4.4 patched a security vulnerability from parsing the API key.

I'd love to upgrade our own version of gibbon (we're on v2) to get the security update. But, I noticed that gibbon has dropped support for faraday <1 as of gibbon v3.4.1. faraday ends up touching lots of things, so upgrading is looking like a big lift.

And so, would it be possible to release a security patch for gibbon v3.4.0, which is the last version that supports faraday <1? I noticed that gibbon doesn't have branches for past releases, or I'd also be happy to make a PR, or let me know if I can help in any way.

Thank you so much!
@amro
Copy link
Owner

amro commented Oct 28, 2022
edited
Loading

Hi @ywenc. I would be glad to release it, yes, and would sincerely appreciate your putting together a PR as things are a bit busy for me at work right now. Thanks!

I should note that issue only applies if you're accepting API keys via a form or something. I recommend validating them on entry if you are anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amro @ywenc