Support #20325
closed
Review dependabot alerts
Added by Peter Amstutz over 1 year ago. Updated about 1 year ago.
Updated by Lucas Di Pentima over 1 year ago
- Status changed from New to In Progress
Updated by Lucas Di Pentima over 1 year ago
Reported https://github.com/arvados/arvados/security/dependabot/79 as #20336
Updated by Lucas Di Pentima over 1 year ago
Handling https://github.com/arvados/arvados/security/dependabot/97 by upgrading the rack gem on RailsAPI & WB1.
Update: 1cb23beff - branch 20325-rack-upgrade
Test run: developer-run-tests: #3587
Updated by Lucas Di Pentima over 1 year ago
Dismissed https://github.com/arvados/arvados/security/dependabot/107 as we're not using the vulnerable code.
Updated by Lucas Di Pentima over 1 year ago
Dismissed https://github.com/arvados/arvados/security/dependabot/2 & https://github.com/arvados/arvados/security/dependabot/5 as the risk is tolerable because is related to doc generation and doesn't affect running clusters.
Updated by Lucas Di Pentima over 1 year ago
Handling https://github.com/arvados/arvados/security/dependabot/96 by upgrading the golang.org/x/net module.
Updates at ee9e02d91 - branch 20325-go-x-net-upgrade
Test run: developer-run-tests: #3588
Updated by Lucas Di Pentima over 1 year ago
Handling https://github.com/arvados/arvados/security/dependabot/109 by upgrading nokogiri on both RailsAPI & WB1.
Updates at a56ec3ec5 - branch 20325-nokogiri-upgrade
Test run: developer-run-tests: #3589
Updated by Lucas Di Pentima over 1 year ago
Dismissed https://github.com/arvados/arvados/security/dependabot/105 & https://github.com/arvados/arvados/security/dependabot/106 as we're not using the vulnerable code.
Updated by Lucas Di Pentima over 1 year ago
Dismissed https://github.com/arvados/arvados/security/dependabot/101,https://github.com/arvados/arvados/security/dependabot/102 & https://github.com/arvados/arvados/security/dependabot/103 as we're not using the vulnerable code. (vulnerability may appear when using ruby 3.2 onwards)
Updated by Lucas Di Pentima over 1 year ago
Handling https://github.com/arvados/arvados/security/dependabot/92, https://github.com/arvados/arvados/security/dependabot/95, https://github.com/arvados/arvados/security/dependabot/94 & https://github.com/arvados/arvados/security/dependabot/93 by upgrading the github.com/containerd/containerd module.
Updates at ddf2c60df - branch 20325-go-containerd-upgrade
Test run: developer-run-tests: #3596
WB1 re-run: developer-run-tests-apps-workbench-integration: #3882
Updated by Lucas Di Pentima over 1 year ago
Handling https://github.com/arvados/arvados/security/dependabot/64 & https://github.com/arvados/arvados/security/dependabot/65 by upgrading globalid gem on RailsAPI & WB1
Updates at a6775c492 - branch 20325-globalid-gem-upgrade
Test run: developer-run-tests: #3599
Updated by Lucas Di Pentima over 1 year ago
Handling https://github.com/arvados/arvados/security/dependabot/91 by upgrading github.com/docker/distribution to version 2.8.1
Updates at b3c7d9bbf - branch 20325-go-docker-distribution-upgrade
Test run: developer-run-tests: #3603
Updated by Lucas Di Pentima over 1 year ago
Dismissed https://github.com/arvados/arvados/security/dependabot/81 & https://github.com/arvados/arvados/security/dependabot/82 as we don't seem to use the underscore method on user provided input.
Updated by Peter Amstutz over 1 year ago
- Target version changed from Development 2023-04-26 sprint to Development 2023-05-10 sprint
Updated by Lucas Di Pentima over 1 year ago
Handling https://github.com/arvados/arvados/security/dependabot/110 & https://github.com/arvados/arvados/security/dependabot/111 by upgrading jquery-rails and its dependencies on RailsAPI & WB1
Updates at ab72becc8 - branch 20325-jquery-rails-upgrade
Test run: developer-run-tests: #3649
WB1 integration re-run: developer-run-tests-apps-workbench-integration: #3940
Updated by Peter Amstutz over 1 year ago
- Target version changed from Development 2023-05-10 sprint to Development 2023-05-24 sprint
Updated by Lucas Di Pentima over 1 year ago
Handling https://github.com/arvados/arvados/security/dependabot/112 by upgrading the github.com/docker/distribution module to version v2.8.2+incompatible.
Updates at ee1e494c0 - branch 20325-go-docker-distribution-upgrade2
Test run: developer-run-tests: #3651
Updated by Lucas Di Pentima over 1 year ago
Looking at the following reports:
- https://github.com/arvados/arvados/security/dependabot/77
- https://github.com/arvados/arvados/security/dependabot/78
- https://github.com/arvados/arvados/security/dependabot/83
- https://github.com/arvados/arvados/security/dependabot/84
Seems that the patch could be applied to rails 5.2.8.x too:
https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118#patches-5
Updated by Peter Amstutz over 1 year ago
- Target version changed from Development 2023-05-24 sprint to Development 2023-06-07
Updated by Peter Amstutz over 1 year ago
- Target version changed from Development 2023-06-07 to Development 2023-05-24 sprint
Updated by Peter Amstutz over 1 year ago
- Status changed from In Progress to Resolved