プロジェクト

全般

プロフィール

編集 操作
リンクをコピー

Vote #81027

完了

Upgrade Rails to 5.2.4.5

Admin Redmine さんが3年以上前に追加. 3年以上前に更新.

ステータス:
Closed
優先度:
通常
担当者:
-
カテゴリ:
Security_51
対象バージョン:
4.0.8_161
開始日:
2022/05/09
期日:
進捗率:

0%

予定工数:
Redmineorg_URL:
https://www.redmine.org/issues/33906
category_id:
51
version_id:
161
issue_org_id:
33906
author_id:
1565
assigned_to_id:
332
comments:
15
status_id:
5
tracker_id:
2
plus1:
0
affected_version:
closed_on:
affected_version_id:
ステータス-->[Closed]
引用

説明

As released on May 18, 2020 with the following "announcement":https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/:

Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

[CVE-2020-8162] Circumvention of file size limits in ActiveStorage
[CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
[CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
[CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
[CVE-2020-8167] CSRF Vulnerability in rails-ujs

Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled @rails-ujs@ code.

I'll set this issue to private given the possible implications.

journals

Thank you for reporting the issue. I had missed the release.

Mischa The Evil wrote:
> Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled @rails-ujs@ code.

Do you know how to build a new @public/javascripts/jquery-*-ui-*-ujs-*.js@?
--------------------------------------------------------------------------------
Go MAEDA wrote:
> Mischa The Evil wrote:
> > Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled @rails-ujs@ code.
>
> Do you know how to build a new @public/javascripts/jquery-*-ui-*-ujs-*.js@?

I do not, though given the remaining[1] history, I think Marius should be able to tell this.

fn1. the last update of the file in r19803 destroyed the file's prior history in SCM.
--------------------------------------------------------------------------------
I manually maintain @public/javascripts/jquery-*-ui-*-ujs-*.js?@ by replacing the old versions of the JS libraries with the new versions.

Regarding @rails-ujs@, the file is part of the actionview gem and the new version can be found in @lib/assets/compiled/rails-ujs.js@, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.

Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
JPL committed the patch for updating Rails to 5.2.4.4 five month ago (r20109). As it's no longer a thing, shall we close this issue and perhaps #34062, too?
--------------------------------------------------------------------------------
Marius BALTEANU wrote:
> I manually maintain @public/javascripts/jquery-*-ui-*-ujs-*.js?@ by replacing the old versions of the JS libraries with the new versions.
>
> Regarding @rails-ujs@, the file is part of the actionview gem and the new version can be found in @lib/assets/compiled/rails-ujs.js@, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.
>
> Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.

Okay, didn't read that beforehand. Sorry. Reading before writing is always a good habit. @*facepalm*@

--------------------------------------------------------------------------------
Adding a patch that:
* Updates Rails to 5.2.4.5 which includes another security fix.
* Updates Rails UJS to 5.2.4.5 unminified in order to avoid this manual step.

All tests pass: https://gitlab.com/redmine-org/redmine/-/pipelines/270145466 (except some flaky system tests).
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Committed the patches. Thank you.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

related_issues

duplicates,Closed,34062,Upgrade Rails to 5.2.4.5

操作
リンクをコピー
 #1

Admin Redmine さんが3年以上前に更新

  • カテゴリSecurity_51 にセット
  • 対象バージョン4.0.8_161 にセット
編集 操作
リンクをコピー

他の形式にエクスポート: Atom PDF

いいね!0
いいね!0

demo1.unofficial-redmine.org