Feature #33906
Upgrade Rails to 5.2.4.5
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Go MAEDA | % Done: | 0% | |
| Category: | Security | |||
| Target version: | 4.0.8 | |||
| Resolution: | Fixed |
Description
As released on May 18, 2020 with the following announcement:
Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.
Both releases contain the following fixes:
[CVE-2020-8162] Circumvention of file size limits in ActiveStorage
[CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
[CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
[CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
[CVE-2020-8167] CSRF Vulnerability in rails-ujs
Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.
I'll set this issue to private given the possible implications.
0001-Update-Rails-to-5.2.4.5.patch 
(642 Bytes)
0003-Update-javascript-filename.patch
(1.34 KB)
Related issues
Associated revisions
Update Rails to 5.2.4.5 (#33906).
Patch by Marius BALTEANU.
Update Rails UJS to 5.2.4.5 unminified (#33906).
Patch by Marius BALTEANU.
Update JavaScript filename (#33906).
Patch by Marius BALTEANU.
Update Rails UJS to 5.2.4.5 unminified for 4.1-stable (#33906).
Update JavaScript filename for 4.1-stable (#33906).
Update Rails UJS to 5.2.4.5 unminified for 4.0-stable (#33906).
Update JavaScript filename for 4.0-stable (#33906).
History
#1
Updated by Go MAEDA 8 months ago
Thank you for reporting the issue. I had missed the release.
Mischa The Evil wrote:
Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled
rails-ujscode.
Do you know how to build a new public/javascripts/jquery-*-ui-*-ujs-*.js?
#2
Updated by Mischa The Evil 8 months ago
Go MAEDA wrote:
Mischa The Evil wrote:
Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled
rails-ujscode.Do you know how to build a new
public/javascripts/jquery-*-ui-*-ujs-*.js?
I do not, though given the remaining1 history, I think Marius should be able to tell this.
1 the last update of the file in r19803 destroyed the file's prior history in SCM.
#3
Updated by Marius BALTEANU 7 months ago
- Target version set to 4.0.8
I manually maintain public/javascripts/jquery-*-ui-*-ujs-*.js? by replacing the old versions of the JS libraries with the new versions.
Regarding rails-ujs, the file is part of the actionview gem and the new version can be found in lib/assets/compiled/rails-ujs.js, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.
Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.
#4
Updated by Mischa The Evil 5 months ago
- Blocks Feature #34062: Upgrade Rails to 5.2.4.5 added
#5
Updated by Marius BALTEANU 5 months ago
- Assignee set to Jean-Philippe Lang
#6
Updated by Bernhard Rohloff about 1 month ago
#7
Updated by Bernhard Rohloff about 1 month ago
Marius BALTEANU wrote:
I manually maintain
public/javascripts/jquery-*-ui-*-ujs-*.js?by replacing the old versions of the JS libraries with the new versions.Regarding
rails-ujs, the file is part of the actionview gem and the new version can be found inlib/assets/compiled/rails-ujs.js, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.
Okay, didn't read that beforehand. Sorry. Reading before writing is always a good habit. *facepalm*
#8
Updated by Marius BALTEANU about 1 month ago
- File 0001-Update-Rails-to-5.2.4.5.patch added
- File 0002-Update-Rails-UJS-to-5.2.4.5-unminified.patch added
- File 0003-Update-javascript-filename.patch added
- Assignee changed from Jean-Philippe Lang to Go MAEDA
- Updates Rails to 5.2.4.5 which includes another security fix.
- Updates Rails UJS to 5.2.4.5 unminified in order to avoid this manual step.
All tests pass: https://gitlab.com/redmine-org/redmine/-/pipelines/270145466 (except some flaky system tests).
#9
Updated by Marius BALTEANU about 1 month ago
- Subject changed from Update to Rails 5.2.4.3 to Update to Rails 5.2.4.5
#10
Updated by Go MAEDA about 1 month ago
- Status changed from New to Resolved
- Resolution set to Fixed
Committed the patches. Thank you.
#11
Updated by Go MAEDA about 1 month ago
- Status changed from Resolved to Closed
#12
Updated by Marius BALTEANU about 1 month ago
- Blocks deleted (Feature #34062: Upgrade Rails to 5.2.4.5)
#13
Updated by Marius BALTEANU about 1 month ago
- Private changed from Yes to No
#14
Updated by Marius BALTEANU about 1 month ago
- Duplicated by Feature #34062: Upgrade Rails to 5.2.4.5 added
#15
Updated by Marius BALTEANU about 1 month ago
- Tracker changed from Defect to Feature
- Subject changed from Update to Rails 5.2.4.5 to Upgrade Rails to 5.2.4.5