RM 4.0 gem update issues
Happy NY guys, and thank you so much for creating this absolutely fantastic application!
I just upgraded to redmine v4.0 which was installed with a set of gems including rack-2.0.7. This version of the gem was just announced as having a vulnerability. So in the redmine’s root I did:
bundle update --patch --conservative rack
which successfully replaced rack-2.0.7 with rack-2.0.8. I verified it’s the installed version in redmine by checking it with bundle list returning:
* rack (2.0.8)
However, when I run
gem list rack
it still shows the outdated versions only:
rack (2.0.7, 1.6.4)
I have two questions:
- Can I assume that redmine as application has no access to any of the outdated versions installed in the system, i.e. that my redmine is solidly secure?
- Given my current vendor/cache repository in redmine that I created with bundle package , how do I install rack-2.0.8 system wide (with conservative options of --patch and --conservative ) so it would be available for other applications? Assume that the installation has to run from the local vendor/cache repo on the offline machine.
RE: RM 4.0 gem update issues - Added by A Fora about 1 month ago
I found answers to the above.
1. Supposedly it's fine. See https://github.com/bundler/bundler/issues/170 for implicit approval.
2. For some reason there was a setting in my redmine root in .bundle/config:
Essentially forcing the install only to the local application subtree. Once removed now all the files get installed both in the system ruby and the local application.