Sidekiq 6 release for CVE 2023-26141

[colszowka]

In a similar vein to #5167, I wonder if there will be a Sidekiq 6 patch release for rubysec/ruby-advisory-db#705 ?

According to the cited https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a in the ruby advisory db the 6 branch is also affected, and we're still stuck on 6 due to the ongoing issue with Redis Cloud not supporting HELLO command and hence blocking upgrades to Sidekiq 7

[mperham]

It's my opinion that the CVE is wildly overrated. There's no known threat or real world example of an exploit here. I'm in no rush to push out a 6.X release.

[colszowka]

Hey @mperham, thanks for the quick response. To be honest I'm also a bit puzzled by the CVE since I don't quite get how changing this value locally to some value that might lead to a DoS differs from running a ton of manual requests against the site (unless somebody can somehow manipulate the local storage value somehow due to being able to host custom JS on the same domain and then coercing users to load that)

Regardless though, we have the bundle-audit gem as part of our CI pipeline and for now after assessing the report have put this particular CVE to our ignore list for the time being, but I don't want to establish poor practices of just ignoring security-related alerts in general so I'd rather be able to get rid of the manual ignore file sooner than later 🌞

Eventually hopefully we will also be able to finally move to redis and by consequence sidekiq 7, once Redis Cloud have sorted out their thing.