Patch #34062
Upgrade Rails to 5.2.4.4
Status: | New | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | Security | |||
Target version: | 4.0.8 |
Description
CVE-2020-8165 (https://nvd.nist.gov/vuln/detail/CVE-2020-8165)
It would be very helpful if Redmine would work with the latest versions of Ruby and Rails. My server has been shut down for testing, since older versions are in use.
Associated revisions
Upgrade Rails to 5.2.4.4 (#34062).
History
#1
Updated by Daniel Müller 4 months ago
https://www.redmine.org/projects/redmine/repository/entry/trunk/Gemfile
ruby '>= 2.3.0', '< 2.7.0' gem 'bundler', '>= 1.12.0' gem 'rails', '5.2.4.2'
At least rails 5.2.4.3 is required! Ruby 2.7 would be helpful, too.
#2
Updated by Pavel Rosický 4 months ago
I don't think that the current Redmine version is really vulnerable to CVE-2020-8165 because there's no such code (unless you have plugins or modifications), see https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
but I'm not so sure for instance about this https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw
note that those vulnerablities were disclosed and fixes are available for 6 months. The fix is 1 line of code. It's sad that there's no reaction from Redmine's team for such a long time :-(
#3
Updated by Marius BALTEANU 3 months ago
- Tracker changed from Defect to Patch
- Subject changed from Security hole in rails to Upgrade Rails to 5.2.4.4
- Assignee set to Jean-Philippe Lang
- Target version set to 4.0.8
#4
Updated by Daniel Müller 3 months ago
It would be helpful to process security fixes in all current branches like version 4.1.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.1-stable/Gemfile) and 4.0.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.0-stable/Gemfile) not only in trunk.
#5
Updated by Marius BALTEANU 3 months ago
Daniel Müller wrote:
It would be helpful to process security fixes in all current branches like version 4.1.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.1-stable/Gemfile) and 4.0.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.0-stable/Gemfile) not only in trunk.
The stable branches will be updated for sure in the following days.
#6
Updated by Michael Gerz 3 months ago
This security issue is rated as "critical" (9.8).
When will we see a new Redmnine release to address this issue?
#7
Updated by Michael Gerz 3 months ago
Note: There are tools out there that check for CVE-2020-8165. Expect more user comments in the near future.
#8
Updated by Michael Gerz about 1 month ago
Just wondering - will this security issue be fixed anytime soon?
#10
Updated by Marius BALTEANU about 1 month ago
Michael Gerz wrote:
Just wondering - will this security issue be fixed anytime soon?
Yes, I’m confident that new maintainance releases will be made until end of the year.
#11
Updated by Michael Gerz 13 days ago
Marius BALTEANU wrote:
Michael Gerz wrote:
Just wondering - will this security issue be fixed anytime soon?
Yes, I’m confident that new maintainance releases will be made until end of the year.
Well... then they will be made until the end of 2021. (Anyway... Happy new year!)