Skip to content

update patched_versions for GHSA-mjgf-xj26-9qf9#1158

Merged
simi merged 1 commit into
rubysec:masterfrom
krzyzak:update-pay-patched-version
Jul 7, 2026
Merged

update patched_versions for GHSA-mjgf-xj26-9qf9#1158
simi merged 1 commit into
rubysec:masterfrom
krzyzak:update-pay-patched-version

Conversation

@krzyzak

@krzyzak krzyzak commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Add patched_versions for GHSA-mjgf-xj26-9qf9 (pay)

Sets patched_versions: [">= 11.6.2"] on the pay advisory for the non-constant-time HMAC comparison in the Paddle Billing webhook signature verifier.

When this advisory was first added, no fixed release existed yet — 11.6.1 was the latest (unpatched) version. pay 11.6.2 has since shipped with the fix, so this PR records the patched version and updates the notes accordingly.

References

@jasnow jasnow self-requested a review July 7, 2026 12:25

@jasnow jasnow left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jasnow jasnow requested a review from simi July 7, 2026 13:20
@simi simi merged commit d3a78ee into rubysec:master Jul 7, 2026
2 checks passed
@jasnow

jasnow commented Jul 7, 2026

Copy link
Copy Markdown
Member

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants