1. 16 Jun, 2020 2 commits
    • Nina's avatar
      Merge branch 'bundle-audit-ignore-CVE-2020-8184' into 'master' · 26e8dc88
      Nina authored
      CI: bundle-audit: Ignore CVE-2020-8184
      
      See merge request !342
      26e8dc88
    • georg's avatar
      CI: bundle-audit: Ignore CVE-2020-8184 · 008cff32
      georg authored
      Percent-encoded cookies can be used to overwrite existing prefixed
      cookie names
      
      It is possible to forge a secure or host-only cookie prefix in Rack
      using an arbitrary cookie write by using URL encoding (percent-encoding)
      on the name of the cookie. This could result in an application that is
      dependent on this prefix to determine if a cookie is safe to process
      being manipulated into processing an insecure or cross-origin request.
      This vulnerability has been assigned the CVE identifier CVE-2020-8184.
      
      Versions Affected:  rack < 2.2.3, rack < 2.1.4
      Not affected:       Applications which do not rely on __Host- and
                          __Secure- prefixes to determine if a cookie is safe
                          to process
      Fixed Versions:     rack >= 2.2.3, rack >= 2.1.4
      008cff32
  2. 13 Jun, 2020 1 commit
  3. 12 Jun, 2020 2 commits
    • Nina's avatar
      Merge branch '472-specs-rely-on-localhost' into 'master' · 3e1d36ef
      Nina authored
      specs: rely on localhost instead of 127.0.0.1
      
      Closes #472
      
      See merge request !340
      3e1d36ef
    • georg's avatar
      specs: fix errors on IPv6-only machines · 6a114316
      georg authored
      Do not rely on '127.0.0.1', but on 'localhost'.
      
      dirmngr receives some extra care, so it's able to cope with it.
      
      gpgconf --kill might hang indefinitely, therefore, rely on pkill.
      
      Relax the expected output of gpg if refreshing keys without a keyserver
      being available, as gpg might report various errors in such a situation.
      
      The dependency on dirmngr will be dropped soon, anyway, so I deem this
      acceptable as a workaround, for now.
      
      Closes #472
      6a114316
  4. 09 Jun, 2020 2 commits
  5. 08 Jun, 2020 1 commit
  6. 02 Jun, 2020 1 commit
    • georg's avatar
      CI: bundle-audit: Ignore CVE-2020-8161 and CVE-2020-8165 · 95d2bf31
      georg authored
      CVE-2020-8161: Directory traversal in Rack::Directory
      
      CVE-2020-8165: unmarshalling of user-provided objects in MemCacheStore
                     and RedisCacheStore
      
      Both vulnerabilities do not affect us, accordingly, ignore them.
      95d2bf31
  7. 27 May, 2020 2 commits
  8. 19 May, 2020 1 commit
  9. 04 May, 2020 1 commit
  10. 01 May, 2020 1 commit
  11. 20 Apr, 2020 1 commit
  12. 17 Apr, 2020 1 commit
  13. 15 Apr, 2020 3 commits
  14. 13 Apr, 2020 1 commit
  15. 09 Apr, 2020 1 commit
  16. 01 Apr, 2020 5 commits
  17. 31 Mar, 2020 4 commits
  18. 30 Mar, 2020 7 commits
  19. 29 Mar, 2020 1 commit
  20. 28 Mar, 2020 1 commit
  21. 26 Mar, 2020 1 commit