Patch #34062

Upgrade Rails to 5.2.4.4

Added by Daniel Müller 20 days ago. Updated 12 days ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Security
Target version:4.0.8

Description

CVE-2020-8165 (https://nvd.nist.gov/vuln/detail/CVE-2020-8165)

It would be very helpful if Redmine would work with the latest versions of Ruby and Rails. My server has been shut down for testing, since older versions are in use.

Associated revisions

Revision 20109
Added by Jean-Philippe Lang 20 days ago

Upgrade Rails to 5.2.4.4 (#34062).

History

#1 Updated by Daniel Müller 20 days ago

https://www.redmine.org/projects/redmine/repository/entry/trunk/Gemfile

ruby '>= 2.3.0', '< 2.7.0'
gem 'bundler', '>= 1.12.0'

gem 'rails', '5.2.4.2'

At least rails 5.2.4.3 is required! Ruby 2.7 would be helpful, too.

#2 Updated by Pavel Rosický 20 days ago

I don't think that the current Redmine version is really vulnerable to CVE-2020-8165 because there's no such code (unless you have plugins or modifications), see https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c

but I'm not so sure for instance about this https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw

note that those vulnerablities were disclosed and fixes are available for 6 months. The fix is 1 line of code. It's sad that there's no reaction from Redmine's team for such a long time :-(

#3 Updated by Marius BALTEANU 18 days ago

  • Tracker changed from Defect to Patch
  • Subject changed from Security hole in rails to Upgrade Rails to 5.2.4.4
  • Assignee set to Jean-Philippe Lang
  • Target version set to 4.0.8

#4 Updated by Daniel Müller 17 days ago

It would be helpful to process security fixes in all current branches like version 4.1.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.1-stable/Gemfile) and 4.0.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.0-stable/Gemfile) not only in trunk.

#5 Updated by Marius BALTEANU 17 days ago

Daniel Müller wrote:

It would be helpful to process security fixes in all current branches like version 4.1.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.1-stable/Gemfile) and 4.0.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.0-stable/Gemfile) not only in trunk.

The stable branches will be updated for sure in the following days.

Also available in: Atom PDF