[LRUG] Keeping track of new security vulnerabilities?

Frederick Cheung frederick.cheung at gmail.com
Fri Sep 20 02:11:53 PDT 2013


On 20 Sep 2013, at 10:07, Romek <romeks at gmail.com> wrote:

> Hi,
> 
> To keep up with CVEs, don't do it yourself. Let NIST do it for you...
> 
> http://carnal0wnage.attackresearch.com/2013/04/bundler-audit-auditing-your-rubygems.html
> 
> So to install this - 
> 
> gem install bundler-audit
> 
> to run it, navigate to the directory where the Gemfile.lock is stored:
> 
> bundle-audit check


Very cool (assuming the database of vulnerabilities is up to date). To turn this problem on its head, people who maintain gems: where would you submit the info that a gem has been updated with a security release?
More than a few times I've found out about problems in smaller gems through twitter - hardly ideal!

Fred


More information about the Chat mailing list