[LRUG] Fwd: Keeping track of new security vulnerabilities?

[Joel Chippindale]

LRUGers

If you want to keep up to date with the latest known security
vulnerabilities with Ruby and the gems you are using there seem to be many
different places to look, for example:

- For rails there is the rubyonrails-security mailing list (
https://groups.google.com/forum/#!forum/rubyonrails-security) which has
rails covered but what about any of the other ruby gems you rely on?

- It is unclear to me whether the ruby-security-ann mailing list is still
active (https://groups.google.com/forum/#!forum/ruby-security-ann).

- The National Vulnerability Database (
http://web.nvd.nist.gov/view/vuln/search-results?query=ruby&search_type=all&cves=on)
appears to be more comprehensive and enables you to search for ruby
vulnerabilities but does not appear to give you any nice way to be alerted
when a new vulnerability is discovered.

- The ruby-advisory-db on github (
https://github.com/rubysec/ruby-advisory-db/) looks like a great project
(with potential to create a tool which would read your Gemfile/Gemfile.lock
and warn you of issues?) but the frequency of updates and number of open
issues suggest to me that it is far from comprehensive.

However none of these appear to be comprehensive, even with respect to
reported issues, or make it easy to keep track of new vulnerabilities.

How do you keep up to date with security vulnerabilities that are
discovered in Ruby and the gems you use?

J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20130919/9118961a/attachment-0003.html>