Please publish v1.5.4 to RubyGems #238
Description
v1.5.4 was released on GitHub on February 3, 2025, but it hasn't been published to RubyGems — the latest version there is still 1.5.3 from November 2024.
This is causing multiple CVEs to be flagged by container image scanners (AWS ECR Inspector) on the pre-built Go binaries shipped in the 1.5.3 gem:
- CVE-2024-45337 (golang.org/x/crypto, CVSS 9.1) — SSH PublicKeyCallback authorization bypass. The
1.5.3gem ships golang.org/x/crypto v0.17.0, fix requires >= v0.31.0. Confirmed fixed in v1.5.4 which bumps it to v0.31.0. - CVE-2024-24790 (Go stdlib, CVSS 9.8) — IPv4-mapped IPv6 address validation bypass. Fix requires Go >= 1.22.4. Likely fixed in
v1.5.4depending on the Go toolchain version used during the release build.
This was also noted in the v1.5.3 release notes: "We intend to release this version to rubygems.org, which has fallen out of sync with the underlying go binary."
Could you please publish 1.5.4 (or a newer build) to RubyGems? Thank you!