That situation actually makes me wonder whether it wouldn't be good if RubyGems warned you if you were installing a version of a gem that had known security problems. (Or perhaps in serious situations, the gem publisher could yank them...)
I'd certainly find it useful if bundler would tell me it was knowingly installing an old version of a gem because of a dependency. On Tue, Feb 12, 2013 at 11:16 AM, Ben Hoskings <[email protected]> wrote: > That's a good option too. > > My intent with the version constraint isn't to lock it, so much as to make > it explicit that the gem shouldn't be rolled back in the future. That is, > that there's a specific reason it's at that version, aside from that being > the latest version at the time it was incorporated. > > - Ben > > > > On 12 February 2013 09:48, Jon Rowe <[email protected]> wrote: > >> If you feel the need to lock to a specific version rather than just >> `bundle update json` then ~> is safer than >= as it will only allow patch >> version updates. >> >> Jon Rowe >> ----------------------------- >> [email protected] >> jonrowe.co.uk >> >> On Tuesday, 12 February 2013 at 09:38, Ben Hoskings wrote: >> >> There are three. Here they are with tl-dr. >> >> 1) >> https://groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/AFBKNY7VSH8 >> #attr_protected can be circumvented in controllers. >> Fixed in rails 3.2.12, 3.1.11, 2.3.17. >> >> 2) >> https://groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/KtmwSbEpzrU >> #serialize calls in models can be exploited to execute remote code. >> 3.1.0 and newer are not affected. >> Fixed in rails 2.3.17. There is no release for 3.0.x because of policy: >> you'll have to manually apply the patch. >> >> 3) >> https://groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58 >> There's a denial of service and unsafe object creation bug using >> 'json_class' in json.gem. >> Fixed in json 1.7.7, 1.6.8, 1.5.5. >> N.B. You have to update json.gem separately to rails to ensure you're >> safe. >> >> >> For anyone unsure, the easiest way to update is to lock out the old >> versions in your gemfile and then `bundle update`. For example: >> >> 1) Check Gemfile.lock for 'json' and note the version. (e.g. say you had >> json-1.7.6, as we did.) >> 2) Add or update the 'json' entry in your Gemfile to the safe version >> corresponding to your minor version, as follows: >> gem 'json', '>= 1.7.7' >> 3) Run `bundle update json` >> 4) Run specs >> 5) SHIP IT >> >> >> Cheers >> Ben >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby or Rails Oceania" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/rails-oceania?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby or Rails Oceania" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/rails-oceania?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > > > -- > Cheers > Ben > > -- > You received this message because you are subscribed to the Google Groups > "Ruby or Rails Oceania" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rails-oceania?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rails-oceania?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
