CVE-2021-43809

[tchukuchuk]

Hi,

Maybe I've missed something but is it possible to update bundler to fix https://avd.aquasec.com/nvd/cve-2021-43809 ?

$ docker run -t --rm ruby:3.0.3-slim-buster bundle -v
Bundler version 2.2.32

Regards.

[yosifkit]

We stopped installing a specific version of Bundler a few years ago (#255) and just use whatever version comes bundled with the specific release of Ruby. So it would be up to Ruby upstream to make a new patch release that includes an updated Bundler. You can also update it in your own image FROM ruby:3.0.0-slim-buster.