Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIX CVE-2020-8130 #21

Merged
merged 2 commits into from
Jun 25, 2021
Merged

FIX CVE-2020-8130 #21

merged 2 commits into from
Jun 25, 2021

Conversation

VijayanB
Copy link
Member

@VijayanB VijayanB commented Jun 25, 2021
edited
Loading

Description

There is an OS command injection vulnerability in Ruby Rake before 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |. Though suggested remedy is to update to 12.3.3, we can remove this pinning since it was required only for Logstash 5.x.

Issues Resolved

#10

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has documentation added
  • Commits are signed as per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@VijayanB
Remove rake dependency
c7d369b 
This was required for Logstash 5.X. Since we don't support that,
we can safely remove. This was causing CVE.

Signed-off-by: Vijayan Balasubramanian <balasvij@amazon.com>
@VijayanB VijayanB self-assigned this Jun 25, 2021
@VijayanB VijayanB requested review from jmazanec15 and vamshin June 25, 2021 05:50
@VijayanB
Update variable names
8742964 
Rename variable to client.

Signed-off-by: Vijayan Balasubramanian <balasvij@amazon.com>
vamshin
vamshin approved these changes Jun 25, 2021
View reviewed changes
Copy link
Member

@vamshin vamshin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks

@VijayanB VijayanB merged commit 8d87ed7 into opensearch-project:main Jun 25, 2021
@VijayanB VijayanB deleted the fix-cve branch June 25, 2021 18:03
@VijayanB VijayanB added the Bug Fixes Changes to a system or product designed to handle a programming bug/glitch label Jul 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vamshin vamshin vamshin approved these changes

@jmazanec15 jmazanec15 Awaiting requested review from jmazanec15

Assignees

@VijayanB VijayanB

Labels
Bug Fixes Changes to a system or product designed to handle a programming bug/glitch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@VijayanB @vamshin