Updating ruby to resolve vulnerabilities in 4.2.1

Added by A Fora 5 months ago

Hi guys,

I have just run bundle audit check and it reports the following high rated vulnerabilites:

Name: actionpack
Version: 5.2.5
CVE: CVE-2021-22904
GHSA: GHSA-7wjx-3g7j-8584
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
Title: Possible DoS Vulnerability in Action Controller Token Authentication
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Name: actionpack
Version: 5.2.5
CVE: CVE-2021-22885
GHSA: GHSA-hjg4-8q5f-x6fm
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Title: Possible Information Disclosure / Unintended Method Execution in Action Pack
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Vulnerabilities found!

Could anyone recommend an appropriate rails update policy which will not result in breaking a working redmine installation? I could only update ruby if I changed rails version in Gemlock from gem 'rails', '5.2.5' to gem 'rails', '5.2.6' manually and then run bundle install in the redmine folder. It seems to be working and not affecting redmine at this stage.

The question is: is this an appropriate strategy in general for any future vulnerabilities in ruby? I'm not ruby savvy and I really struggle with this.

Many thanks for your thoughts!

Replies (5)

RE: Updating ruby to resolve vulnerabilities in 4.2.1 - Added by A Fora 4 months ago

Just bumping up the question if you guys could help.
Tu!

RE: Updating ruby to resolve vulnerabilities in 4.2.1 - Added by Go MAEDA 4 months ago

Redmine 4.2.2 that updates Rails to 5.2.6 is going to be released very soon.

RE: Updating ruby to resolve vulnerabilities in 4.2.1 - Added by Marius BALTEANU 4 months ago

We will release new versions this weekend which contain the Rails updates.

RE: Updating ruby to resolve vulnerabilities in 4.2.1 - Added by A Fora 4 months ago

Ok, thank you. But is my approach to updating it in the future valid?:

- Manually find the vulnerable dependency
- Manually change Gemlock
- run bundle install

Many thanks!

RE: Updating ruby to resolve vulnerabilities in 4.2.1 - Added by Marius BALTEANU 4 months ago

A Fora wrote:

Ok, thank you. But is my approach to updating it in the future valid?:

- Manually find the vulnerable dependency
- Manually change Gemlock
- run bundle install

Many thanks!

Well, it depends a lot on the update. I would recommend to manually patch your instance only if we already committed the patch on Redmine trunk or stable branches. We cannot guarantee that a Rails or gem update won't break anything. We're trying to do our best and release security updates as soon as possible based on issues severity.

Also, I strongly recommend to report the vulnerability/findings in this issue tracker if wasn't already reported.

Please let me know if I answered your questions now.

(1-5/5)