Extremely critical Ruby on Rails bug (CVE-2013-0156)
Added by Djordjije Crni almost 12 years ago
January 8, 2013: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
How to patch RoR, in order to fix installed Redmine v1.4.x (1.4.x requires Rails 2.3.14)?
Upgrade to v2.2.0 is not an option, because of plugin incompatibility...
Replies (9)
RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Ivan Cenov almost 12 years ago
.
RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Jan Niggemann (redmine.org team member) almost 12 years ago
To use rails 2.3.15, edit your Gemfile
and replace the rails version, then you use bundle update
to update your bundle.
While it is unlikely that a minor rails update will break something, it still can happen - please make sure you have recent backups.
Migrating to a more recent Redmine release using Rails 3.2.11 as a dependency is a better option if you can allow it.
RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Peter Panther almost 12 years ago
I've updated my redmine sever 1.4.5 with rails 2.3.15.
after running a set of tests everything seems to be ok!
RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Djordjije Crni almost 12 years ago
Thanks, it works without problems.
RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Glenn Gould almost 12 years ago
We have a server with an antique redmine 0.9.2 which seems to use rails 2.3.5 and therefore is affected by this critical Rails bug.
Is there a chance to make 0.9.2 work with rails 2.3.15 and if so, any suggestions how to do it? 2.3.15 doesn't use bundler?
As an alternative, is it safe, to disable XML parsing like suggested in the CVE, or will this break Redmine?
RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Jan Niggemann (redmine.org team member) almost 12 years ago
Holy cow, 0.9.2 is 3 years old... What keeps you from updating?
You can copy your instance to a new machine and run the tests with rails 2.3.15...
RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Etienne Massip almost 12 years ago
Glenn Gould wrote:
We have a server with an antique redmine 0.9.2 which seems to use rails 2.3.5 and therefore is affected by this critical Rails bug.
Is there a chance to make 0.9.2 work with rails 2.3.15
You can try as Jan suggested but I'd say no.
As an alternative, is it safe, to disable XML parsing like suggested in the CVE, or will this break Redmine?
Yes it should be safe.
RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Glenn Gould almost 12 years ago
Thanks for your answers, Jan and Etienne!
If I get the CVE correctly, I need to put something like
ActionController::Base.param_parsers.delete(Mime::XML)
"inside an application initializer."
Unfortunately I'm not really an insider of the Rails world (which is at least part of the problem of stacking with 0.9.2).
Do I get it correctly: that means to put the snippet into <redmine_home>/config/environment.rb
?
The file environment.rb looks like that
hoshi:/srv/www/redmine/config/environments# cat ../environment.rb # Be sure to restart your web server when you modify this file. # Uncomment below to force Rails into production mode when # you don't control web/app server and can't set it the proper way # ENV['RAILS_ENV'] ||= 'production' # Specifies gem version of Rails to use when vendor/rails is not present RAILS_GEM_VERSION = '2.3.5' unless defined? RAILS_GEM_VERSION # Bootstrap the Rails environment, frameworks, and default configuration require File.join(File.dirname(__FILE__), 'boot') # Load Engine plugin if available begin require File.join(File.dirname(__FILE__), '../vendor/plugins/engines/boot') rescue LoadError # Not available end Rails::Initializer.run do |config| # Settings in config/environments/* take precedence those specified here # Skip frameworks you're not going to use # config.frameworks -= [ :action_web_service, :action_mailer ] # Add additional load paths for sweepers config.load_paths += %W( #{RAILS_ROOT}/app/sweepers ) # Force all environments to use the same logger level # (by default production uses :info, the others :debug) # config.log_level = :debug # Enable page/fragment caching by setting a file-based store # (remember to create the caching directory and make it readable to the application) # config.action_controller.fragment_cache_store = :file_store, "#{RAILS_ROOT}/cache" # Activate observers that should always be running # config.active_record.observers = :cacher, :garbage_collector config.active_record.observers = :message_observer, :issue_observer, :journal_observer, :news_observer, :document_observer, :wiki_content_observer # Make Active Record use UTC-base instead of local time # config.active_record.default_timezone = :utc # Use Active Record's schema dumper instead of SQL when creating the test database # (enables use of different database adapters for development and test environments) # config.active_record.schema_format = :ruby # Deliveries are disabled by default. Do NOT modify this section. # Define your email configuration in email.yml instead. # It will automatically turn deliveries on config.action_mailer.perform_deliveries = false config.gem 'rubytree', :lib => 'tree' # Load any local configuration that is kept out of source control # (e.g. gems, patches). if File.exists?(File.join(File.dirname(__FILE__), 'additional_environment.rb')) instance_eval File.read(File.join(File.dirname(__FILE__), 'additional_environment.rb')) end end
So I'd put the Code snippet as a first line into the "Rails::Initializer.run do" loop, correct?
Sorry for asking very basic questions, but I'm a little bit lost here...
Thanks again for your help!
RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Etienne Massip almost 12 years ago
Looks like, yes.