Skip to content

GHSA/SYNC: 1 new faraday advisory#1058

Open
jasnow wants to merge 1 commit into
rubysec:masterfrom
jasnow:ghsa-syncbot-2026-05-19-20_33_30
Open

GHSA/SYNC: 1 new faraday advisory#1058
jasnow wants to merge 1 commit into
rubysec:masterfrom
jasnow:ghsa-syncbot-2026-05-19-20_33_30

Conversation

@jasnow
Copy link
Copy Markdown
Contributor

@jasnow jasnow commented May 20, 2026

GHSA/SYNC: 1 new faraday advisory

simi
simi reviewed May 22, 2026
View reviewed changes
Comment thread gems/faraday/CVE-2026-33637.yml
simi
simi reviewed May 22, 2026
View reviewed changes
Comment thread gems/faraday/CVE-2026-33637.yml
unaffected_versions:
- "< 2.0.0"
patched_versions:
- ">= 2.14.2"
Copy link
Copy Markdown
Contributor

@simi simi May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://nvd.nist.gov/vuln/detail/CVE-2026-33637 says

This issue has been fixed in version 2.14.3.

But there is no 2.14.3 :-o https://rubygems.org/gems/faraday/versions. So something is off in here. Is CVE wrong? Should we report?

Copy link
Copy Markdown
Contributor Author

@jasnow jasnow May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, nvd website data is wrong so I did not use it. Check the release notes URL.

Copy link
Copy Markdown
Contributor Author

@jasnow jasnow May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unclicked "Resolve comment" button - will wait for your feedback.

Copy link
Copy Markdown
Contributor

@simi simi May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All good, just wondering if there's known contact where to report such a mistakes.

Copy link
Copy Markdown
Contributor Author

@jasnow jasnow May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, nvd website data is wrong so I did not use it. Check the release notes URL.

Try GitHub Security Advisory (GHSA) web site - see that NVD website got the data from there.

Copy link
Copy Markdown
Contributor Author

@jasnow jasnow May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want to fix this data, this can be worked separately from this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@simi simi simi left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasnow @simi