Selenium: Ruby bindings: Security vulnerability in rubyzip 1.2.1
Just FYI
I know it sounds like a deja-vu because of https://github.com/SeleniumHQ/selenium/issues/3728 but there's actually a separate issue with the library on version 1.2.1 listed on the NIST db: CVE-2018-1000544
The patch is not out yet but this is the thread where they are discussing it on rubyzip repo: https://github.com/rubyzip/rubyzip/pull/371
I tried to see if there's an alternative for this library but it doesn't seem to be any so even switching library (its usage is quite contained in the ruby bindings) is not an option.
rhymes
All 7 comments
I'll keep an eye on RubyZip issue and will bump version once there is a fix. Thank you for report!
p0deje
on 27 Aug 2018
https://github.com/rubyzip/rubyzip/pull/371 is now marked as Merged, is this ready to be updated?
soundasleep
on 3 Sep 2018
@soundasleep You can update RubyZip by yourself - Selenium needs ~> 1.2 so 1.2.2 works just fine. Just do bundle update rubyzip.
@rhymes I feel like I should just keep the desired version as-is and not update it to >= 1.2.2. Do you have any objections? @titusfortner @lmtierney What do you guys think?
p0deje
on 3 Sep 2018
@p0deje the default on https://rubygems.org/gems/rubyzip has become gem 'rubyzip', '~> 1.2', '>= 1.2.2', I would consider using that..
rhymes
on 3 Sep 2018
Thank you!
p0deje
on 3 Sep 2018
@p0deje Are you gonna update the GEM located at rubygems.org? Because it seems like it's still referencing the old version of rubyzip.
msdundar
on 28 Sep 2018
@msdundar it will be updated when we do a new release. There has not been a new release since the change was made.
lmtierney
on 28 Sep 2018
Related issues
RonKalian
路
38Comments
konstin
路
33Comments
oceanchow
路
30Comments
dipesh17
路
43Comments
mseele
路
36Comments