Skip to content

Fix CVE-2026-41316: upgrade Ruby erb gem to >=6.0.4 #1060

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dpark01 merged 1 commit into from
Apr 27, 2026
Merged

Fix CVE-2026-41316: upgrade Ruby erb gem to >=6.0.4 #1060

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion docker/Dockerfile.assemble
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@

# Workaround: add sequip lib directory to PERL5LIB
# NOTE: sequip version here must match the version in requirements/assemble.txt
ENV PERL5LIB=$PERL5LIB:/opt/conda/share/sequip-0.11/lib

Check warning on line 23 in docker/Dockerfile.assemble

View workflow job for this annotation

GitHub Actions / build-assemble-amd64

Variables should be defined before their use 

UndefinedVar: Usage of undefined variable '$PERL5LIB'
More info: https://docs.docker.com/go/dockerfile/rule/undefined-var/

Check warning on line 23 in docker/Dockerfile.assemble

View workflow job for this annotation

GitHub Actions / build-assemble-amd64

Variables should be defined before their use 

UndefinedVar: Usage of undefined variable '$PERL5LIB'
More info: https://docs.docker.com/go/dockerfile/rule/undefined-var/

Check warning on line 23 in docker/Dockerfile.assemble

View workflow job for this annotation

GitHub Actions / build-assemble-arm64

Variables should be defined before their use 

UndefinedVar: Usage of undefined variable '$PERL5LIB'
More info: https://docs.docker.com/go/dockerfile/rule/undefined-var/

Check warning on line 23 in docker/Dockerfile.assemble

View workflow job for this annotation

GitHub Actions / build-assemble-arm64

Variables should be defined before their use 

UndefinedVar: Usage of undefined variable '$PERL5LIB'
More info: https://docs.docker.com/go/dockerfile/rule/undefined-var/

# Copy requirements and dependency installation script
COPY docker/requirements/baseimage.txt docker/requirements/core.txt docker/requirements/assemble.txt docker/requirements/assemble-x86.txt /tmp/requirements/
Expand All @@ -32,12 +32,17 @@
# - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
# - Ruby json gem: mummer4/sequip pull in Ruby (via yaggo), whose bundled json gem
# has CVE-2026-33210; remove the old default gem and install patched version (>=2.19.2)
# - Ruby erb gem: same chain (mummer4 → yaggo → ruby), CVE-2026-41316 (Marshal
# deserialization bypass via ERB#def_module); remove default gem and install >=6.0.4
RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt \
--x86-only:/tmp/requirements/assemble-x86.txt && \
rm -f /opt/conda/libexec/mafft/dash_client && \
find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
gem install json --version '>=2.19.2' --no-document
gem install json --version '>=2.19.2' --no-document && \
find /opt/conda/lib/ruby -maxdepth 3 -name 'erb*' -exec rm -rf {} + && \
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/erb-*.gemspec && \
gem install erb --version '>=6.0.4' --no-document

# Copy source code (includes assembly module)
COPY src/ /opt/viral-ngs/source/src/
Expand Down
7 changes: 6 additions & 1 deletion docker/Dockerfile.mega
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,19 @@ COPY docker/install-conda-deps.sh /tmp/
# - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
# - Ruby json gem: mummer4 → yaggo → Ruby, whose bundled json gem has CVE-2026-33210;
# remove the old default gem and install patched version (>=2.19.2)
# - Ruby erb gem: same chain (mummer4 → yaggo → ruby), CVE-2026-41316 (Marshal
# deserialization bypass via ERB#def_module); remove default gem and install >=6.0.4
RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt /tmp/requirements/classify.txt /tmp/requirements/phylo.txt \
--x86-only:/tmp/requirements/assemble-x86.txt \
--x86-only:/tmp/requirements/classify-x86.txt \
--x86-only:/tmp/requirements/phylo-x86.txt && \
rm -f /opt/conda/libexec/mafft/dash_client && \
find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
gem install json --version '>=2.19.2' --no-document
gem install json --version '>=2.19.2' --no-document && \
find /opt/conda/lib/ruby -maxdepth 3 -name 'erb*' -exec rm -rf {} + && \
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/erb-*.gemspec && \
gem install erb --version '>=6.0.4' --no-document

# Copy source code (includes all modules)
COPY src/ /opt/viral-ngs/source/src/
Expand Down
7 changes: 6 additions & 1 deletion docker/Dockerfile.phylo
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,17 @@ COPY docker/install-conda-deps.sh /tmp/
# - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
# - Ruby json gem: mummer4 pulls in yaggo → Ruby, whose bundled json gem has
# CVE-2026-33210; remove the old default gem and install patched version (>=2.19.2)
# - Ruby erb gem: same chain (mummer4 → yaggo → ruby), CVE-2026-41316 (Marshal
# deserialization bypass via ERB#def_module); remove default gem and install >=6.0.4
RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/phylo.txt \
--x86-only:/tmp/requirements/phylo-x86.txt && \
rm -f /opt/conda/libexec/mafft/dash_client && \
find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
gem install json --version '>=2.19.2' --no-document
gem install json --version '>=2.19.2' --no-document && \
find /opt/conda/lib/ruby -maxdepth 3 -name 'erb*' -exec rm -rf {} + && \
rm -f /opt/conda/lib/ruby/gems/*/specifications/default/erb-*.gemspec && \
gem install erb --version '>=6.0.4' --no-document

# Copy source code (includes phylo module)
COPY src/ /opt/viral-ngs/source/src/
Expand Down
Loading