Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Upgrade minitar to fix CVE-2016-10173 #8092

Closed
wants to merge 1 commit into from
Closed

Upgrade minitar to fix CVE-2016-10173 #8092

wants to merge 1 commit into from

Conversation

vanstee
Copy link

@vanstee vanstee commented Aug 28, 2017
edited
Loading

Noticed rubyzip was bumped to take care of a similar CVE, but minitar is still pinned to the old version.

PR which fixed the issue: halostatue/minitar#16

Shipping a new version of logstash-core and logstash-core-plugin-api would be super helpful as well.

@elasticmachine
Copy link
Collaborator

Can one of the admins verify this patch?

@suyograo
Copy link
Contributor

Hi, thanks for the patch. Can you please perform step 2 of https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md#contribution-steps

@vanstee
Copy link
Author

vanstee commented Aug 29, 2017

@suyograo Just signed it a second time. I guess the CLA status doesn't update here though. Also it looks like CI flaked but I can't rerun it without write perms on the repo. Could you kick that off for me?

@jsvd
Copy link
Member

jsvd commented Sep 2, 2019

we now use minitar ~> 0.8.0, this can be closed https://github.com/elastic/logstash/blob/master/logstash-core/logstash-core.gemspec#L67

@jsvd jsvd closed this Sep 2, 2019
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vanstee @elasticmachine @suyograo @jsvd