ruby-advisory-db
ruby-advisory-db copied to clipboard
Patched version range very confusing for CVE-2016-2097
I was looking at ruby-advisory-db/gems/actionview/CVE-2016-2097.yml
The unaffected_versions and patched_version ranges are as follows:
unaffected_versions:
- ">= 4.2.0"
# "~> 3.2.22.2" is found in gems/actionpack/CVE-2016-2097.yml
patched_versions:
- "~> 4.1.14, >= 4.1.14.2"
It would seem that these two version ranges overlap each other. They also don't seem to match the description particularly well.
Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions: 3.2.22.2, 4.1.14.2
It is quite possible that I am reading it wrong, or misunderstand the syntax. Are the patched_versions incorrect or am I in error?
Thanks for the help!
Looks like in old Rails versions that actionpack
was affected, while in newer versions, actionview
was. So, you need to review both gems/actionpack/CVE-2016-2097.yml
and gems/actionview/CVE-2016-2097.yml
to get the full picture
patched_versions
and unaffected_versions
can indeed overlap, and it's fine. Just means that a newer version isn't affected by this vulnerability, so the patch (fix) is only needed for versions outside the unaffected_versions
range.
Ohhhhhh. I see. That certainly explains most of it for me. I am still mildly confused about the two overlapping patched_versions:
patched_versions:
- "~> 4.1.14, >= 4.1.14.2"
@ken-duck that version range could probably be rewritten as < 4.2.0, >= 4.1.14.2
.