Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade yard to version 0.9.11 or later #13

Closed
emma5678 opened this issue Feb 12, 2019 · 3 comments
Closed

Upgrade yard to version 0.9.11 or later #13

emma5678 opened this issue Feb 12, 2019 · 3 comments
Labels
high severity vulnerability

Comments

@emma5678
Copy link

emma5678 commented Feb 12, 2019
edited
Loading

yard vulnerability has been present in penthouse.gemspec since Dec 2017. We need to upgrade to 0.9.11 or later.

This needs to be complete by April 2019.

Due to time passed, I would suggest updating to the very latest version, if greater than 0.9.11, unless an issue is identified with doing so.

Vulnerability details:

lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.
@emma5678 emma5678 mentioned this issue Feb 12, 2019
Open
@emma5678
Copy link
Author

@ryantownsend @krisquigley can this be addressed please.

@emma5678
Copy link
Author

emma5678 commented Sep 9, 2019

@ryantownsend @krisquigley can this ticket be prioritised please

@simonireilly
Copy link

Closed by #16 we no longer have a Gemfile.lock version pinning yard. The security dependency management is now in the vendor installing the gem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
high severity vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simonireilly @emma5678