Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow rotp update to 6.3.0 to fix CVE-2024-28862 #126

Closed
jean-francois-labbe opened this issue Mar 19, 2024 · 5 comments
Closed

Allow rotp update to 6.3.0 to fix CVE-2024-28862 #126

jean-francois-labbe opened this issue Mar 19, 2024 · 5 comments

Comments

@jean-francois-labbe
Copy link

There is a CVE reported on rotp to 6.2.1 and 6.2.2
The fix is to update rotp to >= 6.3.0

Current gemspec prevents the update spec.add_dependency "rotp", "~> 6.2.0"

ruby-advisory-db:
  advisories:	882 advisories
  last updated:	2024-03-18 19:03:51 -0700
  commit:	35ca69bb256418b4cec81327e659ed6c0257d25b
Name: rotp
Version: 6.2.2
CVE: CVE-2024-28862
GHSA: GHSA-x2h8-qmj4-g62f
Criticality: Medium
URL: https://github.com/mdp/rotp/security/advisories/GHSA-x2h8-qmj4-g62f
Title: ROTP 6.2.2 and 6.2.1 has 0666 permissions for the .rb files.
Solution: upgrade to '>= 6.3.0'
jean-francois-labbe added a commit to jean-francois-labbe/active_model_otp that referenced this issue Mar 19, 2024
@jean-francois-labbe
Update rotp to 6.3.0 to fix CVE-2024-28862 Closes heapsource#126
f3cb4bf
@jean-francois-labbe
Copy link
Author

There is already a PR here #118

@spickermann
Copy link

spickermann commented Apr 2, 2024
edited
Loading

@jean-francois-labbe Thank you for fixing this security issue.

I noticed that the latest release (2.3.2 from April 26, 2023) still depends on rotp ~> 6.2.0 (see: Rubygems and the diff between main and the 2.3.2 tag).

Would you be able to create a new release with the rotp update?

@jean-francois-labbe
Copy link
Author

@spickermann thanks for the message but I'm not a maintainer on this project. I can't do anything for you.

Right now I updated my gemfile to reference the commit that fixes the rotp dependency.

  # fix CVE-2024-28862, waiting for a new release
  gem "active_model_otp", github: "heapsource/active_model_otp", ref: "3a4db76f59aaecd133654be4ae43184d2d67bb2b"

@spickermann
Copy link

@jean-francois-labbe I am sorry that I mistook you for one of the maintainers.

@guilleiguaran, @bithavoc, @robertomiranda Would one of you be able to release a new version fixing this security vulnerability on Rubygems?

@jeffbax
Copy link

jeffbax commented Apr 9, 2024

@spickermann thanks for the message but I'm not a maintainer on this project. I can't do anything for you.

Right now I updated my gemfile to reference the commit that fixes the rotp dependency.

  # fix CVE-2024-28862, waiting for a new release
  gem "active_model_otp", github: "heapsource/active_model_otp", ref: "3a4db76f59aaecd133654be4ae43184d2d67bb2b"

Ultimately did the same thing for us as well at the moment. A little curious that they are not letting this dependency be a little less rigid by fixing this gem to a patch version in this framework

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spickermann @jeffbax @jean-francois-labbe