https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292020-04-22T05:23:12ZRedmineRedmine - Defect #33334: bump i18n for advisory: CVE-2014-10077 https://www.redmine.org/issues/33334?journal_id=974262020-04-22T05:23:12ZGo MAEDA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/29946">Feature #29946</a>: Update i18n gem (~> 1.6.0)</i> added</li></ul> Redmine - Defect #33334: bump i18n for advisory: CVE-2014-10077 https://www.redmine.org/issues/33334?journal_id=974282020-04-22T05:50:17ZGo MAEDA
<ul></ul><p>Thank you for reporting the issue. The quickest workaround is to update to Redmine 4.1. Redmine 4.1 uses i18n 1.6.</p>
<p><a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/tags/4.1.1/Gemfile#L17">source:/tags/4.1.1/Gemfile#L17</a></p> Redmine - Defect #33334: bump i18n for advisory: CVE-2014-10077 https://www.redmine.org/issues/33334?journal_id=974712020-04-24T09:39:23ZPopa Marius
<ul></ul><p>Thanks we did it that way , also in 4.0.x branch i18n should be bumped to 0.8.0</p> Redmine - Defect #33334: bump i18n for advisory: CVE-2014-10077 https://www.redmine.org/issues/33334?journal_id=974722020-04-24T11:20:38ZMarius BÄ‚LTEANU
<ul></ul><p>Popa Marius wrote:</p>
<blockquote>
<p>Thanks we did it that way , also in 4.0.x branch i18n should be bumped to 0.8.0</p>
</blockquote>
<p>Is not only the bump, it requires also to backport some code changes from <a class="changeset" title="Update i18n gem to 1.5.3 (#29946). Patch by Marius BALTEANU." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/17888">r17888</a> and <a class="changeset" title="Removes lazy loading of i18n files for 18n 1.6.0 compat (#31384)." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/18286">r18286</a>. At that time, Toshi tried to update the gem <a class="external" href="https://www.redmine.org/projects/redmine/repository/revisions/16324">https://www.redmine.org/projects/redmine/repository/revisions/16324</a>.</p> Redmine - Defect #33334: bump i18n for advisory: CVE-2014-10077 https://www.redmine.org/issues/33334?journal_id=975442020-04-27T12:47:25ZHolger Just
<ul></ul><p>The version of <code>Hash#slice</code> in the i18n gem (which was vulnerable to CVE-2014-10077) is only used if there is not already another version of this method present:</p>
<ul>
<li>From Ruby 2.5.0 on, Ruby itself <a href="https://ruby-doc.org/core-2.5.0/Hash.html#method-i-slice" class="external">ships this method</a>.</li>
<li>When used with Rails (resp. ActiveSupport) on version >= 3.0, < 6.0, it also <a href="https://www.rubydoc.info/docs/rails/4.1.7/Hash#slice-instance_method" class="external">ships this method</a>. It is used in preference to the one in the i18n gem since <code>ActiveSupport</code> is loaded before <code>i18n</code></li>
</ul>
<p>Thus, the version of the method shipped with the i18n gem should never actually be used by us (or any dependent code). Thus, I think this vulnerability doesn't apply to us.</p> Redmine - Defect #33334: bump i18n for advisory: CVE-2014-10077 https://www.redmine.org/issues/33334?journal_id=1019272021-04-10T06:27:59ZGo MAEDA
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Resolution</strong> set to <i>Fixed</i></li></ul><p>Currently, all supported versions of Redmine (4.1 and 4.2) use i18n 1.6 or higher.</p>
<p><a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/tags/4.2.0/Gemfile#L17">source:tags/4.2.0/Gemfile#L17</a><br /><a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/tags/4.1.2/Gemfile#L17">source:tags/4.1.2/Gemfile#L17</a></p>