RM 4.0 gem update issues

Added by A Fora 3 months ago

Happy NY guys, and thank you so much for creating this absolutely fantastic application!

I just upgraded to redmine v4.0 which was installed with a set of gems including rack-2.0.7. This version of the gem was just announced as having a vulnerability. So in the redmine’s root I did:

bundle update --patch --conservative rack

which successfully replaced rack-2.0.7 with rack-2.0.8. I verified it’s the installed version in redmine by checking it with bundle list returning:

* rack (2.0.8)

However, when I run

gem list rack

it still shows the outdated versions only:

rack (2.0.7, 1.6.4)

I have two questions:

  1. Can I assume that redmine as application has no access to any of the outdated versions installed in the system, i.e. that my redmine is solidly secure?
  1. Given my current vendor/cache repository in redmine that I created with bundle package , how do I install rack-2.0.8 system wide (with conservative options of --patch and --conservative ) so it would be available for other applications? Assume that the installation has to run from the local vendor/cache repo on the offline machine.

Many thanks!

Replies (1)

RE: RM 4.0 gem update issues - Added by A Fora 3 months ago

I found answers to the above.

1. Supposedly it's fine. See https://github.com/bundler/bundler/issues/170 for implicit approval.

2. For some reason there was a setting in my redmine root in .bundle/config:

BUNDLE_PATH: "." 

Essentially forcing the install only to the local application subtree. Once removed now all the files get installed both in the system ruby and the local application.

(1-1/1)