Skip to content

GHSA SYNC: 2 brand new advisories #867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
postmodern merged 1 commit into from
Apr 15, 2025
Merged

GHSA SYNC: 2 brand new advisories #867

postmodern merged 1 commit into from
Apr 15, 2025

Conversation

@jasnow
Copy link
Contributor

@jasnow jasnow commented Apr 15, 2025

GHSA SYNC: 2 brand new advisories:

@postmodern postmodern merged commit 6140107 into rubysec:master Apr 15, 2025
1 check passed
@jnq-t
Copy link

jnq-t commented Apr 15, 2025

Hello @jasnow @postmodern,

Several developers in my organization are not able to bundle update to the latest logstash-event gem. Rubygems doesn’t list anything newer than 1.2.02. Could we get some context?

@fred-brightwheel
Copy link

fred-brightwheel commented Apr 15, 2025

Unclear as to why logstash-event is included in the GHSA db. Seems like the CVE affects a really old version of logstash. Could be a mistake in GHSA 🤷

@abMatGit
Copy link

abMatGit commented Apr 15, 2025
edited
Loading

Agreed -- This looks like a mistake. The CVE is regarding logstash version, not this gem which just does formatting.

postmodern added a commit that referenced this pull request Apr 16, 2025
@postmodern
Removed gems/logstash-event/CVE-2014-4326 (issue #867).
205de18 
* The original blog post [1] mentions the elasticsearch/logstash-contrib [2]
  github repository, *not* the logstash-event gem which also does not
  appear to contain the mentioned vulnerable files.

[1]: https://web.archive.org/web/20140804031140/http://www.elasticsearch.org/blog/logstash-1-4-2
[2]: https://github.com/elastic/logstash-contrib
@postmodern
Copy link
Member

postmodern commented Apr 16, 2025

I have temporarily removed gems/logstash-event/CVE-2014-4326.yml. This does indeed look like incorrect GHSA data. The original blog post mentions the elasticsearch/logstash-contrib GitHub repository, which contains a logstash-contrib.gemspec but doesn't appear to have ever been released to rubygems.org. Also, the logstash-event gem does not contain the mentioned vulnerable files (lib/logstash/outputs/zabbix.rb and lib/logstash/outputs/nagios_nsca.rb).

$ gem unpack logstach-event
$ tree logstash-event-1.2.02/
logstash-event-1.2.02/
├── lib
│   ├── logstash
│   │   ├── event.rb
│   │   ├── namespace.rb
│   │   ├── util
│   │   │   └── fieldreference.rb
│   │   └── util.rb
│   └── logstash-event.rb
├── LICENSE
└── spec
    └── event.rb

@rtmcmill2009 rtmcmill2009 mentioned this pull request Apr 17, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jasnow @jnq-t @fred-brightwheel @abMatGit @postmodern