cve
- Engineering
- Last Updated: June 27, 2018
- Camille Baldock
Over the past few weeks, Heroku proactively updated our entire Redis fleet with a version of Redis not vulnerable to CVE-2018-11218. This was an embargoed vulnerability, so we did this work without notifying our customers about the underlying cause. As always, our goal was to update all Heroku Redis instances well before the embargo expired. As a Data Infrastructure Engineer at Heroku, I wanted to share how we manage large fleet operations such as this one. The most important aspect of our job is keeping customers safe from security vulnerabilities, while also minimizing disruption and downtime. Those two objectives are…
- Engineering
- Last Updated: June 19, 2018
- Richard Schneeman
All previously released versions of Sprockets, the software that powers the Rails asset pipeline, contain a directory traversal vulnerability. This vulnerability has been assigned CVE-2018-3760. How do I know if I'm affected? Rails applications are vulnerable if they have this setting enabled in their application: # config/environments/production.rb config.assets.compile = true # setting to true makes your app vulnerable Note: The default value of this setting that ships with Rails in production.rb is false. By default, Rails apps running in production mode are not vulnerable to this exploit. How do I fix it? To remediate this vulnerability, applications can either change…
- Engineering
- Last Updated: June 03, 2024
- Etienne Stalmans
At Heroku we consistently monitor vulnerability feeds for new issues. Once a new vulnerability drops, we jump into action to triage and determine how our platform and customers may be affected. Part of this process involves evaluating possible attack scenarios not included in the original vulnerability report. We also spend time looking for "adjacent" and similar bugs in other products. The following Ruby vulnerability was identified during this process. Vulnerability Triage A vulnerability, CVE-2017-8817, was identified in libcurl. The FTP function contained an out of bounds read when processing wildcards. As soon as the vulnerability was made public, we went…
Subscribe to the full-text RSS feed for Camille Baldock.