Project

General

Profile

Actions
Copy link

Bug #16469

closed

Triage github security alerts

Added by Peter Amstutz almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assigned To:
Lucas Di Pentima
Category:
API
Target version:
2020-06-03 Sprint
Story points:
-

Related issues

Related to Arvados - Bug #16470: Update to Rails 5.2ResolvedLucas Di Pentima08/05/2020Actions
Actions
Copy link
 #1

Updated by Peter Amstutz almost 4 years ago

  • Status changed from New to In Progress
Actions
Copy link
 #2

Updated by Lucas Di Pentima almost 4 years ago

I believe we don't need to do anything at this time, because:

  • CVE-2020-8164 (Possible Strong Parameters Bypass in ActionPack): I haven't found any occurrence of code using each, each_pair or each_value on params.
  • CVE-2020-8166 (Ability to forge per-form CSRF tokens in Rails): Is a low severity issue and no workarounds are offered, just to upgrade whenever possible.
  • CVE-2020-8165 (Unintended unmarshalling in ActiveSupport): Is about MemCacheStore and RedisCacheStore, which we don't use.
Actions
Copy link
 #3

Updated by Peter Amstutz almost 4 years ago

  • Related to Bug #16470: Update to Rails 5.2 added
Actions
Copy link
 #4

Updated by Lucas Di Pentima almost 4 years ago

  • Status changed from In Progress to Closed

We'll be updating rails to at least 5.2 soon.

Actions
Copy link

Also available in: Atom PDF