postmodernJust released bundler-audit 0.9.3, which officially adds support for Ruby 3.4, 3.5, 4.0, and Bundler 4.x.
https://github.com/rubysec/bundler-audit/releases/tag/v0.9.3
https://github.com/rubysec/bundler-audit#readme
Released bundler-audit 0.9.2 fixing a few minor issues.
https://github.com/rubysec/bundler-audit/releases/tag/v0.9.2
https://github.com/rubysec/bundler-audit#readme
postmodernA bumpy week adding/updating advisories from GHSA to ruby-advisory-db. The recent Rails XSS and Rack ReDoS advisories didn't show up in GHSA immediately, so I had to manually add those to ruby-advisory-db from the Rails Forum where they now post security advisories.
Now a rack-cors package file permission advisory (CVE-2024-27456) that claimed to effect all versions, but after closer inspection (only a few hours ago!) of the .gem packages it only affects version 2.0.1. Thankfully people submitted PRs to ruby-advisory-db so bundler-audit will no longer erroneously flag rack-cors < 2.0.1. I submitted a PR back to GHSA to update the rack-cors advisory information. Team work makes the dream work.
Sorry everyone for the CI disruptions.
https://github.com/github/advisory-database/pull/3751
#ghsa #rubysec #bundleraudit #ruby
[SECURITY] CVE-2024-27456 - Insecure File Permissions in rack-cors v2.0.1 · Issue #274 · cyu/rack-cors
Description I have identified an issue with insecure file permissions in the rack-cors Ruby gem, starting from version 2.0.1. Previous versions of the gem do not exhibit this problem. The files are...