Feature #33906

Upgrade Rails to 5.2.4.5

Added by Mischa The Evil about 1 year ago. Updated 6 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Security
Target version:4.0.8
Resolution:Fixed

Description

As released on May 18, 2020 with the following announcement:

Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

[CVE-2020-8162] Circumvention of file size limits in ActiveStorage
[CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
[CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
[CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
[CVE-2020-8167] CSRF Vulnerability in rails-ujs

Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.

I'll set this issue to private given the possible implications.

0001-Update-Rails-to-5.2.4.5.patch Magnifier (642 Bytes) Marius BALTEANU, 2021-03-15 08:28

0003-Update-javascript-filename.patch Magnifier (1.34 KB) Marius BALTEANU, 2021-03-15 08:28

0002-Update-Rails-UJS-to-5.2.4.5-unminified.patch Magnifier (99.3 KB) Marius BALTEANU, 2021-03-15 08:28

Related issues

Duplicated by Redmine - Feature #34062: Upgrade Rails to 5.2.4.5 Closed

Associated revisions

Revision 20789
Added by Go MAEDA 6 months ago

Update Rails to 5.2.4.5 (#33906).

Patch by Marius BALTEANU.

Revision 20790
Added by Go MAEDA 6 months ago

Update Rails UJS to 5.2.4.5 unminified (#33906).

Patch by Marius BALTEANU.

Revision 20791
Added by Go MAEDA 6 months ago

Update JavaScript filename (#33906).

Patch by Marius BALTEANU.

Revision 20793
Added by Go MAEDA 6 months ago

Merged r20789 from trunk to 4.1-stable (#33906).

Revision 20794
Added by Go MAEDA 6 months ago

Update Rails UJS to 5.2.4.5 unminified for 4.1-stable (#33906).

Revision 20795
Added by Go MAEDA 6 months ago

Update JavaScript filename for 4.1-stable (#33906).

Revision 20797
Added by Go MAEDA 6 months ago

Merged r20789 from trunk to 4.0-stable (#33906).

Revision 20798
Added by Go MAEDA 6 months ago

Backport #31205 to 4.0-stable in order to update Rails UJS (#33906).

Revision 20799
Added by Go MAEDA 6 months ago

Update Rails UJS to 5.2.4.5 unminified for 4.0-stable (#33906).

Revision 20800
Added by Go MAEDA 6 months ago

Update JavaScript filename for 4.0-stable (#33906).

History

#1 Updated by Go MAEDA about 1 year ago

Thank you for reporting the issue. I had missed the release.

Mischa The Evil wrote:

Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.

Do you know how to build a new public/javascripts/jquery-*-ui-*-ujs-*.js?

#2 Updated by Mischa The Evil about 1 year ago

Go MAEDA wrote:

Mischa The Evil wrote:

Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.

Do you know how to build a new public/javascripts/jquery-*-ui-*-ujs-*.js?

I do not, though given the remaining1 history, I think Marius should be able to tell this.

1 the last update of the file in r19803 destroyed the file's prior history in SCM.

#3 Updated by Marius BALTEANU 12 months ago

  • Target version set to 4.0.8

I manually maintain public/javascripts/jquery-*-ui-*-ujs-*.js? by replacing the old versions of the JS libraries with the new versions.

Regarding rails-ujs, the file is part of the actionview gem and the new version can be found in lib/assets/compiled/rails-ujs.js, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.

Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.

#4 Updated by Mischa The Evil 10 months ago

#5 Updated by Marius BALTEANU 9 months ago

  • Assignee set to Jean-Philippe Lang

#6 Updated by Bernhard Rohloff 7 months ago

JPL committed the patch for updating Rails to 5.2.4.4 five month ago (r20109). As it's no longer a thing, shall we close this issue and perhaps #34062, too?

#7 Updated by Bernhard Rohloff 7 months ago

Marius BALTEANU wrote:

I manually maintain public/javascripts/jquery-*-ui-*-ujs-*.js? by replacing the old versions of the JS libraries with the new versions.

Regarding rails-ujs, the file is part of the actionview gem and the new version can be found in lib/assets/compiled/rails-ujs.js, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.

Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.

Okay, didn't read that beforehand. Sorry. Reading before writing is always a good habit. *facepalm*

#8 Updated by Marius BALTEANU 6 months ago

Adding a patch that:
  • Updates Rails to 5.2.4.5 which includes another security fix.
  • Updates Rails UJS to 5.2.4.5 unminified in order to avoid this manual step.

All tests pass: https://gitlab.com/redmine-org/redmine/-/pipelines/270145466 (except some flaky system tests).

#9 Updated by Marius BALTEANU 6 months ago

  • Subject changed from Update to Rails 5.2.4.3 to Update to Rails 5.2.4.5

#10 Updated by Go MAEDA 6 months ago

  • Status changed from New to Resolved
  • Resolution set to Fixed

Committed the patches. Thank you.

#11 Updated by Go MAEDA 6 months ago

  • Status changed from Resolved to Closed

#12 Updated by Marius BALTEANU 6 months ago

#13 Updated by Marius BALTEANU 6 months ago

  • Private changed from Yes to No

#14 Updated by Marius BALTEANU 6 months ago

#15 Updated by Marius BALTEANU 6 months ago

  • Tracker changed from Defect to Feature
  • Subject changed from Update to Rails 5.2.4.5 to Upgrade Rails to 5.2.4.5

Also available in: Atom PDF