Updating ruby to resolve vulnerabilities in 4.2.1
Added by A Fora over 3 years ago
Hi guys,
I have just run bundle audit check
and it reports the following high rated vulnerabilites:
Name: actionpack Version: 5.2.5 CVE: CVE-2021-22904 GHSA: GHSA-7wjx-3g7j-8584 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2 Name: actionpack Version: 5.2.5 CVE: CVE-2021-22885 GHSA: GHSA-hjg4-8q5f-x6fm Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2 Vulnerabilities found!
Could anyone recommend an appropriate rails update policy which will not result in breaking a working redmine installation? I could only update ruby if I changed rails
version in Gemlock
from gem 'rails', '5.2.5'
to gem 'rails', '5.2.6'
manually and then run bundle install
in the redmine folder. It seems to be working and not affecting redmine at this stage.
The question is: is this an appropriate strategy in general for any future vulnerabilities in ruby? I'm not ruby savvy and I really struggle with this.
Many thanks for your thoughts!
Replies (5)
RE: Updating ruby to resolve vulnerabilities in 4.2.1 - Added by A Fora over 3 years ago
Just bumping up the question if you guys could help.
Tu!
RE: Updating ruby to resolve vulnerabilities in 4.2.1 - Added by Go MAEDA over 3 years ago
Redmine 4.2.2 that updates Rails to 5.2.6 is going to be released very soon.
RE: Updating ruby to resolve vulnerabilities in 4.2.1 - Added by Marius BĂLTEANU over 3 years ago
We will release new versions this weekend which contain the Rails updates.
RE: Updating ruby to resolve vulnerabilities in 4.2.1 - Added by A Fora over 3 years ago
Ok, thank you. But is my approach to updating it in the future valid?:
- Manually find the vulnerable dependency
- Manually change Gemlock
- run bundle install
Many thanks!
RE: Updating ruby to resolve vulnerabilities in 4.2.1 - Added by Marius BĂLTEANU over 3 years ago
A Fora wrote:
Ok, thank you. But is my approach to updating it in the future valid?:
- Manually find the vulnerable dependency
- Manually change Gemlock
- run bundle installMany thanks!
Well, it depends a lot on the update. I would recommend to manually patch your instance only if we already committed the patch on Redmine trunk or stable branches. We cannot guarantee that a Rails or gem update won't break anything. We're trying to do our best and release security updates as soon as possible based on issues severity.
Also, I strongly recommend to report the vulnerability/findings in this issue tracker if wasn't already reported.
Please let me know if I answered your questions now.