Feature #33906
closedUpgrade Rails to 5.2.4.5
0%
Description
As released on May 18, 2020 with the following announcement:
Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.
Both releases contain the following fixes:
[CVE-2020-8162] Circumvention of file size limits in ActiveStorage
[CVE-2020-8164] Possible Strong Parameters Bypass in ActionPack
[CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
[CVE-2020-8166] Ability to forge per-form CSRF tokens given a global CSRF token
[CVE-2020-8167] CSRF Vulnerability in rails-ujs
Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled rails-ujs
code.
I'll set this issue to private given the possible implications.
Files
Related issues
Updated by Go MAEDA about 4 years ago
Thank you for reporting the issue. I had missed the release.
Mischa The Evil wrote:
Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled
rails-ujs
code.
Do you know how to build a new public/javascripts/jquery-*-ui-*-ujs-*.js
?
Updated by Mischa The Evil about 4 years ago
Go MAEDA wrote:
Mischa The Evil wrote:
Note: the fix for CVE-2020-8167 might also result in a requirement to manually update the bundled
rails-ujs
code.Do you know how to build a new
public/javascripts/jquery-*-ui-*-ujs-*.js
?
I do not, though given the remaining1 history, I think Marius should be able to tell this.
1 the last update of the file in r19803 destroyed the file's prior history in SCM.
Updated by Marius BĂLTEANU about 4 years ago
- Target version set to 4.0.8
I manually maintain public/javascripts/jquery-*-ui-*-ujs-*.js?
by replacing the old versions of the JS libraries with the new versions.
Regarding rails-ujs
, the file is part of the actionview gem and the new version can be found in lib/assets/compiled/rails-ujs.js
, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.
Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.
Updated by Mischa The Evil almost 4 years ago
- Blocks Feature #34062: Upgrade Rails to 5.2.4.5 added
Updated by Marius BĂLTEANU almost 4 years ago
- Assignee set to Jean-Philippe Lang
Updated by Bernhard Rohloff over 3 years ago
Updated by Bernhard Rohloff over 3 years ago
Marius BALTEANU wrote:
I manually maintain
public/javascripts/jquery-*-ui-*-ujs-*.js?
by replacing the old versions of the JS libraries with the new versions.Regarding
rails-ujs
, the file is part of the actionview gem and the new version can be found inlib/assets/compiled/rails-ujs.js
, but it's not minified and from what I remember, I used an online tool at that time. We can do the same now or we can add it non minified until we adopt a JS package tool to manage the dependencies.Rails was updated by Jean-Philippe in #34062, I'm assigning this as well to update rails-ujs.
Okay, didn't read that beforehand. Sorry. Reading before writing is always a good habit. *facepalm*
Updated by Marius BĂLTEANU over 3 years ago
- File 0001-Update-Rails-to-5.2.4.5.patch 0001-Update-Rails-to-5.2.4.5.patch added
- File 0002-Update-Rails-UJS-to-5.2.4.5-unminified.patch 0002-Update-Rails-UJS-to-5.2.4.5-unminified.patch added
- File 0003-Update-javascript-filename.patch 0003-Update-javascript-filename.patch added
- Assignee changed from Jean-Philippe Lang to Go MAEDA
- Updates Rails to 5.2.4.5 which includes another security fix.
- Updates Rails UJS to 5.2.4.5 unminified in order to avoid this manual step.
All tests pass: https://gitlab.com/redmine-org/redmine/-/pipelines/270145466 (except some flaky system tests).
Updated by Marius BĂLTEANU over 3 years ago
- Subject changed from Update to Rails 5.2.4.3 to Update to Rails 5.2.4.5
Updated by Go MAEDA over 3 years ago
- Status changed from New to Resolved
- Resolution set to Fixed
Committed the patches. Thank you.
Updated by Marius BĂLTEANU over 3 years ago
- Blocks deleted (Feature #34062: Upgrade Rails to 5.2.4.5)
Updated by Marius BĂLTEANU over 3 years ago
- Has duplicate Feature #34062: Upgrade Rails to 5.2.4.5 added
Updated by Marius BĂLTEANU over 3 years ago
- Tracker changed from Defect to Feature
- Subject changed from Update to Rails 5.2.4.5 to Upgrade Rails to 5.2.4.5