New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ruby bindings: Security vulnerability in rubyzip 1.2.1 #6330
Comments
I'll keep an eye on RubyZip issue and will bump version once there is a fix. Thank you for report! |
rubyzip/rubyzip#371 is now marked as Merged, is this ready to be updated? |
@soundasleep You can update RubyZip by yourself - Selenium needs @rhymes I feel like I should just keep the desired version as-is and not update it to |
@p0deje the default on https://rubygems.org/gems/rubyzip has become |
Thank you! |
@p0deje Are you gonna update the GEM located at |
@msdundar it will be updated when we do a new release. There has not been a new release since the change was made. |
Just FYI
I know it sounds like a deja-vu because of #3728 but there's actually a separate issue with the library on version 1.2.1 listed on the NIST db: CVE-2018-1000544
The patch is not out yet but this is the thread where they are discussing it on rubyzip repo: rubyzip/rubyzip#371
I tried to see if there's an alternative for this library but it doesn't seem to be any so even switching library (its usage is quite contained in the ruby bindings) is not an option.
The text was updated successfully, but these errors were encountered: