cgi
cgi copied to clipboard
ruby
CGI security fixes for old versions are not in repository
We were informed today of the new CVE-2021-33621 and want to update the copy of cgi shipped with JRuby 9.3. Unfortunately Ruby 2.6 has not been patched and I cannot find the related branches for older versions of CGI anywhere.
What patch went into 0.1.0.2 and friends? Where are the branches for those release lines?
I also noticed that the 0.1.0.2 tag points at a revision where there's a VERSION of 0.1.0.1. Is the fix actually in this release at all?
Is the fix actually in this release at all?
Yes. see https://github.com/ruby/cgi/compare/v0.1.0.1...v0.1.0.2
Aha I see the version.rb was added and the VERSION moved out of cgi.rb.
Where does the branch for this exist? I am very confused how this commit is in the repository when there's only master and master HEAD is 0.3.5.
Ok I think I figured it out. The v0.1.0.2 tag (and probably the other recent security release tags) exist pointing at detached commits that have no associated branch. The tags remain in the repo, and should keep those commits from being lost, but there really should be a branch for each maintained version rather than just a tag.
Note that without being able to reach the tag from a branch, none of the security tags show up in https://github.com/ruby/cgi/tags.
It's good to manage with branch strategy. I think too. But the current cgi gem maintained only each stable CRuby releases. So there are no additional commits on this repository.
If We need to push the additional feature without CRuby releases, I will create the stable branches like v0.2. Is it ok?
I think it would be good and safe to push new branches for the recently patched releases, so those tags can show up on GitHub and we can easily see those versions' histories.