Defect #33334

bump i18n for advisory: CVE-2014-10077

Added by Popa Marius over 2 years ago. Updated over 1 year ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution:Fixed Affected version:4.0.7

Description

Please update i18n from 0.7.0 to 0.8.0

 bundle-audit
Name: i18n
Version: 0.7.0
Advisory: CVE-2014-10077
Criticality: Unknown
URL: https://github.com/svenfuchs/i18n/pull/289
Title: i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS
Solution: upgrade to >= 0.8.0

Vulnerabilities found!

Related issues

Related to Redmine - Feature #29946: Update i18n gem (~> 1.6.0) Closed

History

#1 Updated by Go MAEDA over 2 years ago

#2 Updated by Go MAEDA over 2 years ago

Thank you for reporting the issue. The quickest workaround is to update to Redmine 4.1. Redmine 4.1 uses i18n 1.6.

source:/tags/4.1.1/Gemfile#L17

#3 Updated by Popa Marius over 2 years ago

Thanks we did it that way , also in 4.0.x branch i18n should be bumped to 0.8.0

#4 Updated by Marius BALTEANU over 2 years ago

Popa Marius wrote:

Thanks we did it that way , also in 4.0.x branch i18n should be bumped to 0.8.0

Is not only the bump, it requires also to backport some code changes from r17888 and r18286. At that time, Toshi tried to update the gem https://www.redmine.org/projects/redmine/repository/revisions/16324.

#5 Updated by Holger Just over 2 years ago

The version of Hash#slice in the i18n gem (which was vulnerable to CVE-2014-10077) is only used if there is not already another version of this method present:

  • From Ruby 2.5.0 on, Ruby itself ships this method.
  • When used with Rails (resp. ActiveSupport) on version >= 3.0, < 6.0, it also ships this method. It is used in preference to the one in the i18n gem since ActiveSupport is loaded before i18n

Thus, the version of the method shipped with the i18n gem should never actually be used by us (or any dependent code). Thus, I think this vulnerability doesn't apply to us.

#6 Updated by Go MAEDA over 1 year ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Currently, all supported versions of Redmine (4.1 and 4.2) use i18n 1.6 or higher.

source:tags/4.2.0/Gemfile#L17
source:tags/4.1.2/Gemfile#L17

Also available in: Atom PDF