Redmine

The Rails vulnerability does (very likely) not affect Redmine 5.0. To quote the announcement:

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Redmine 5.0.x does not support Ruby 3.2. As such, it is (very likely) not affected by this issue. Still, we have updated the Rails version with #38374. This change will be released with Redmine 5.0.6.

The case with Nokogiri is a bit more complex. With Redmine, we support several older Ruby versions for which there are no Nokogiri releases anymore. This results in more complex version dependencies.

Yet, with Redmine 5.0, we are currently still pinning Nokogiri to ~> 1.13.10 for newer Rubies. This must be adapted to use ~> 1.14.3 for Ruby >= 2.7.0 only as nokogiri ended support for Ruby 2.6 with their 1.14.0 release. This can be fixed by adapting the version selection for nokogiri in the Gemfile.

For Redmine 4.2, this should be

gem 'nokogiri', (if Gem.ruby_version < Gem::Version.new('2.5.0')
                   '~> 1.10.10'
                 elsif Gem.ruby_version < Gem::Version.new('2.6.0')
                   '~> 1.12.5'
                 elsif Gem.ruby_version < Gem::Version.new('2.7.0')
                   '~> 1.13.10'
                 else
                   '~> 1.15.2'
                 end)

For Redmine 5.0, we can skip the first check as Redmine 5.0 supports only Ruby >= 2.5.0:

gem 'nokogiri', (if Gem.ruby_version < Gem::Version.new('2.6.0')
                   '~> 1.12.5'
                 elsif Gem.ruby_version < Gem::Version.new('2.7.0')
                   '~> 1.13.10'
                 else
                   '~> 1.15.2'
                 end)

For the trunk, we support only Ruby >= 2.7, so we can just use

gem 'nokogiri', '~> 1.15.2'