Upgrade to Paperclip 5.2.0 #8558

jankeesvw · 2018-01-24T13:33:47Z

This addresses CVE-2017-0889

Paperclip ruby gem version 3.1.4 and later suffers from
a Server-SIde Request Forgery (SSRF) vulnerability in
the Paperclip::UriAdapter class. Attackers may be able
to access information about internal network resources.

This addresses CVE-2017-0889 Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources. https://nvd.nist.gov/vuln/detail/CVE-2017-0889

bbonislawski · 2018-01-24T13:37:30Z

Thanks @jankeesvw for contribution. I'll merge it as soon as tests will pass

jankeesvw · 2018-01-24T13:47:58Z

Thanks for the quick action @bbonislawski ❤️

bbonislawski · 2018-01-24T13:50:54Z

@jankeesvw I've created backport for 3-3 and 3-4. How does situation look with paperclip 4.x?(Spree 3.1 and 3.2 are linked to 4.x)?

jankeesvw · 2018-01-24T13:53:11Z

There is no patch for Paperclip 4.x yet as far as I know, I referenced the pull request which fixed this CVE in the body of this PR.

bbonislawski merged commit 71c9b11 into spree:master Jan 24, 2018

jankeesvw deleted the patch-1 branch January 24, 2018 13:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade to Paperclip 5.2.0 #8558

Upgrade to Paperclip 5.2.0 #8558

jankeesvw commented Jan 24, 2018 •

edited

bbonislawski commented Jan 24, 2018

jankeesvw commented Jan 24, 2018

bbonislawski commented Jan 24, 2018

jankeesvw commented Jan 24, 2018

Upgrade to Paperclip 5.2.0 #8558

Upgrade to Paperclip 5.2.0 #8558

Conversation

jankeesvw commented Jan 24, 2018 • edited

bbonislawski commented Jan 24, 2018

jankeesvw commented Jan 24, 2018

bbonislawski commented Jan 24, 2018

jankeesvw commented Jan 24, 2018

jankeesvw commented Jan 24, 2018 •

edited