All my decks
[CTRL+Enter] (10)
makandra dev (8)
makandra Curriculum (1)
makandra Operations (1)
DevOps Curriculum (0)
makandra Operations
Kim Klotz

Fix Imagemagick CVE-2022-44268 in Ubuntu packages

...dfsg-1.3build2.1) UNRELEASED; urgency=medium * SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268) * Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe -- YOUR NAME <YOUR@EMAIL-ADDRESS> Sun, 05 Feb...

...dfsg-2.1ubuntu11.4.1) UNRELEASED; urgency=medium * SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268) * Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe -- YOUR NAME <YOUR@EMAIL-ADDRESS> Sun, 05 Feb...

makandra dev
Judith Roth

How to recognize CVE-2019-5418

...fails like this: Invalid query parameters: invalid %-encoding (../../../../../../../../../etc/passwd%%0000.html) Someone tries to exploit CVE-2019-5418. If you use the latest Rails (or latest Rails LTS) you're safe...

makandra dev
Henning Koch

Regular Expressions: Quantifier modes

...so slow that it can DoS your application (Examples are the ActiveRecord's PostgreSQL CVE-2021-22880 or the Cloudflare outage 2019). Greedy quantifiers (default) A plain * or + is greedy...

makandra dev
Michael Leimstädtner

pnpm: How to update a single package conservatively

...a few selective npm libraries in a project that uses pnpm to apply a CVE mitigation. My first instinct was to modify the package.json file and hope that pnpm install...

...changes (both to the package.json and pnpm lockfile) will be minimal. Example for my CVE-2025-66478 fix: pnpm up next@15.4.8 react@19.1.2 There is also pnpm audit --fix...

makandra dev
Emanuel

Best practice: How to manage versions in a Gemfile

...source(:github) { |repo| "https://github.com/#{repo}.git" } ruby "2.7.6" gem "rails" gem "sqlite3", ">1.4.0" # CVE-XYZ gem "puma" Downgrades with bundler happens only in rare cases and will emit...

...consequently enforce this, your rails line would have a long line of comments with CVEs Good source "https://rubygems.org" git_source(:github) { |repo| "https://github.com/#{repo}.git" }

makandra Curriculum
Henning Koch

Web application security [4d]

...apps are Ruby, Rails, all other gems and JavaScript libraries. Find out what a CVE advisory is. Understand how we're dealing with security issues when new CVEs affect our...

makandra dev
Emanuel

Best practice: How to manage versions in a package.json

...unpoly": "2.x" and "unpoly": "^2.7.2" expresses the same version constraint Bad Commit message: Fixes CVE-XYZ { "dependencies": { "autosize": ">6.0.0", "unpoly": "x" } } There is no reason we have to protect...

makandra dev

In MySQL, a zero number equals any string

...match rows without knowing a secret token: Potential Query Manipulation with Common Rails Practises CVE-2013-3211 MySQL madness and Rails

makandra dev
Tobias Kraze

Rails 3: Mass assignment protection and .create_with

Yesterday, Rails fixed a security issue (CVE-2014-3514) in Rails 4+. It was possible to use .where or .create_with to bypass Rails' Strong Parameters: user.blog_posts.create_with...

makandra dev
Thomas Eisenbarth

Heartbleed test

filippo.io

Enter the hostname of a server to test it for CVE...

This website uses short-lived cookies to improve usability.
or learn more