Bug #16469

Triage github security alerts

Added by Peter Amstutz 12 months ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assigned To:
Category:
API
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-

Related issues

Related to Arvados - Bug #16470: Update to Rails 5.2Resolved08/05/2020

History

#1 Updated by Peter Amstutz 12 months ago

  • Status changed from New to In Progress

#2 Updated by Lucas Di Pentima 12 months ago

I believe we don't need to do anything at this time, because:

  • CVE-2020-8164 (Possible Strong Parameters Bypass in ActionPack): I haven't found any occurrence of code using each, each_pair or each_value on params.
  • CVE-2020-8166 (Ability to forge per-form CSRF tokens in Rails): Is a low severity issue and no workarounds are offered, just to upgrade whenever possible.
  • CVE-2020-8165 (Unintended unmarshalling in ActiveSupport): Is about MemCacheStore and RedisCacheStore, which we don't use.

#3 Updated by Peter Amstutz 12 months ago

  • Related to Bug #16470: Update to Rails 5.2 added

#4 Updated by Lucas Di Pentima 12 months ago

  • Status changed from In Progress to Closed

We'll be updating rails to at least 5.2 soon.

Also available in: Atom PDF