Ruby

hsbt (Hiroshi SHIBATA) wrote in #note-1:

Bundler 1.x is EOL now. I have no plan to update it on Ruby 2.6.

You can upgrade bundler with gem update bundler.

I understand, but you should think that every system that will ship with ruby 2.6 will also ship a vulnerable bundler by default and CVE-2021-43809 has a 7.3 CVSS rating.
Removing/upgrading the system bundler may be tricky.
Ruby 2.6 is still in the security maintenance phase.

Best

How is the score for vulnerabilities calculated? I tried to set the score myself to "Low" in the Github Advisory, because the chances that this issue is ever explored seemed very low to me. I also run a CVSS severity calculator by answering some questions and depending on the answers I gave (some of them I was not sure what the best answer was) I would get a Low or Medium score. Where does this 7.3 number come from?

In principle I totally understand that @hsbt (Hiroshi SHIBATA) doesn't plan to update it.

deivid (David Rodríguez) wrote in #note-3:

How is the score for vulnerabilities calculated? I tried to set the score myself to "Low" in the Github Advisory, because the chances that this issue is ever explored seemed very low to me. I also run a CVSS severity calculator by answering some questions and depending on the answers I gave (some of them I was not sure what the best answer was) I would get a Low or Medium score. Where does this 7.3 number come from?

In principle I totally understand that @hsbt (Hiroshi SHIBATA) doesn't plan to update it.

You can't change the score by yourself; it comes from the CVSS values.
For example, NIST and GitHub have used different values for the Attack Complexity field, which produces two different results.
https://nvd.nist.gov/vuln/detail/CVE-2021-43809

However, the point here is that ruby 2.6, which is still in the security maintenance phase, includes a vulnerable (and in EOL) package.
From my point of view, @hsbt (Hiroshi SHIBATA) should fix this by removing or upgrading it.
Or, if you prefer, you can also declare 2.6 as EOL/EOS.

I see, I agree more with GitHub assessment.

If I understand correctly, ruby 2.6 will be declared as EOL soon, so it seems fine to me to way for that to happen and don't take any action. Users who want to stick to Ruby 2.6 but use a fixed Bundler version can upgrade the bundler gem manually.