Project

General

Profile

Actions

Bug #18431

closed

Ruby 2.6.9, bundler 1.17.2 and CVE-2021-43809

Added by npic1 (Nat Pic1) over 2 years ago. Updated about 2 years ago.

Status:
Closed
Target version:
-
[ruby-core:106811]

Description

Hi,
Ruby 2.6.9 ships with bundler 1.17.2, which is affected by CVE-2021-43809.
Is there a plan to upgrade it to resolve the issue?

I saw that in the past, there was an upgrade and then a downgrade because of some issue:
https://git.ruby-lang.org/ruby.git/commit/?id=91533d9ab17a08385381d87991e01e8674e069a1

Thanks a lot,
Regards
Nat

Updated by hsbt (Hiroshi SHIBATA) over 2 years ago

  • Status changed from Open to Closed
  • Assignee set to hsbt (Hiroshi SHIBATA)

Bundler 1.x is EOL now. I have no plan to update it on Ruby 2.6.

You can upgrade bundler with gem update bundler.

Updated by npic1 (Nat Pic1) over 2 years ago

hsbt (Hiroshi SHIBATA) wrote in #note-1:

Bundler 1.x is EOL now. I have no plan to update it on Ruby 2.6.

You can upgrade bundler with gem update bundler.

I understand, but you should think that every system that will ship with ruby 2.6 will also ship a vulnerable bundler by default and CVE-2021-43809 has a 7.3 CVSS rating.
Removing/upgrading the system bundler may be tricky.
Ruby 2.6 is still in the security maintenance phase.

Best

Updated by deivid (David Rodríguez) over 2 years ago

How is the score for vulnerabilities calculated? I tried to set the score myself to "Low" in the Github Advisory, because the chances that this issue is ever explored seemed very low to me. I also run a CVSS severity calculator by answering some questions and depending on the answers I gave (some of them I was not sure what the best answer was) I would get a Low or Medium score. Where does this 7.3 number come from?

In principle I totally understand that @hsbt (Hiroshi SHIBATA) doesn't plan to update it.

Updated by npic1 (Nat Pic1) about 2 years ago

deivid (David Rodríguez) wrote in #note-3:

How is the score for vulnerabilities calculated? I tried to set the score myself to "Low" in the Github Advisory, because the chances that this issue is ever explored seemed very low to me. I also run a CVSS severity calculator by answering some questions and depending on the answers I gave (some of them I was not sure what the best answer was) I would get a Low or Medium score. Where does this 7.3 number come from?

In principle I totally understand that @hsbt (Hiroshi SHIBATA) doesn't plan to update it.

You can't change the score by yourself; it comes from the CVSS values.
For example, NIST and GitHub have used different values for the Attack Complexity field, which produces two different results.
https://nvd.nist.gov/vuln/detail/CVE-2021-43809

However, the point here is that ruby 2.6, which is still in the security maintenance phase, includes a vulnerable (and in EOL) package.
From my point of view, @hsbt (Hiroshi SHIBATA) should fix this by removing or upgrading it.
Or, if you prefer, you can also declare 2.6 as EOL/EOS.

Updated by deivid (David Rodríguez) about 2 years ago

I see, I agree more with GitHub assessment.

If I understand correctly, ruby 2.6 will be declared as EOL soon, so it seems fine to me to way for that to happen and don't take any action. Users who want to stick to Ruby 2.6 but use a fixed Bundler version can upgrade the bundler gem manually.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0