Project

General

Profile

Actions

Feature #33906

closed

Upgrade Rails to 5.2.4.5

Added by Mischa The Evil over 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

As released on May 18, 2020 with the following announcement:

Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

[CVE-2020-8162] Circumvention of file size limits in ActiveStorage
[CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
[CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
[CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
[CVE-2020-8167] CSRF Vulnerability in rails-ujs

Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.

I'll set this issue to private given the possible implications.


Files


Related issues

Has duplicate Redmine - Feature #34062: Upgrade Rails to 5.2.4.5ClosedGo MAEDA

Actions
Actions #1

Updated by Go MAEDA over 4 years ago

Thank you for reporting the issue. I had missed the release.

Mischa The Evil wrote:

Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.

Do you know how to build a new public/javascripts/jquery-*-ui-*-ujs-*.js?

Actions #2

Updated by Mischa The Evil over 4 years ago

Go MAEDA wrote:

Mischa The Evil wrote:

Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs code.

Do you know how to build a new public/javascripts/jquery-*-ui-*-ujs-*.js?

I do not, though given the remaining1 history, I think Marius should be able to tell this.

1 the last update of the file in r19803 destroyed the file's prior history in SCM.

Actions #3

Updated by Marius BĂLTEANU about 4 years ago

  • Target version set to 4.0.8

I manually maintain public/javascripts/jquery-*-ui-*-ujs-*.js? by replacing the old versions of the JS libraries with the new versions.

Regarding rails-ujs, the file is part of the actionview gem and the new version can be found in lib/assets/compiled/rails-ujs.js, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.

Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.

Actions #4

Updated by Mischa The Evil about 4 years ago

Actions #5

Updated by Marius BĂLTEANU about 4 years ago

  • Assignee set to Jean-Philippe Lang
Actions #6

Updated by Bernhard Rohloff almost 4 years ago

JPL committed the patch for updating Rails to 5.2.4.4 five month ago (r20109). As it's no longer a thing, shall we close this issue and perhaps #34062, too?

Actions #7

Updated by Bernhard Rohloff almost 4 years ago

Marius BALTEANU wrote:

I manually maintain public/javascripts/jquery-*-ui-*-ujs-*.js? by replacing the old versions of the JS libraries with the new versions.

Regarding rails-ujs, the file is part of the actionview gem and the new version can be found in lib/assets/compiled/rails-ujs.js, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.

Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.

Okay, didn't read that beforehand. Sorry. Reading before writing is always a good habit. *facepalm*

Actions #8

Updated by Marius BĂLTEANU almost 4 years ago

Adding a patch that:
  • Updates Rails to 5.2.4.5 which includes another security fix.
  • Updates Rails UJS to 5.2.4.5 unminified in order to avoid this manual step.

All tests pass: https://gitlab.com/redmine-org/redmine/-/pipelines/270145466 (except some flaky system tests).

Actions #9

Updated by Marius BĂLTEANU almost 4 years ago

  • Subject changed from Update to Rails 5.2.4.3 to Update to Rails 5.2.4.5
Actions #10

Updated by Go MAEDA almost 4 years ago

  • Status changed from New to Resolved
  • Resolution set to Fixed

Committed the patches. Thank you.

Actions #11

Updated by Go MAEDA almost 4 years ago

  • Status changed from Resolved to Closed
Actions #12

Updated by Marius BĂLTEANU almost 4 years ago

Actions #13

Updated by Marius BĂLTEANU almost 4 years ago

  • Private changed from Yes to No
Actions #14

Updated by Marius BĂLTEANU almost 4 years ago

Actions #15

Updated by Marius BĂLTEANU almost 4 years ago

  • Tracker changed from Defect to Feature
  • Subject changed from Update to Rails 5.2.4.5 to Upgrade Rails to 5.2.4.5
Actions

Also available in: Atom PDF