You are here
Does anyone aware of an upgrade path for rails 2.3.14 on tkl/redmine 12.0 ?
I ask because of the CVEs detailed here :
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-...
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-bee...
http://www.redmine.org/boards/2/topics/35453
I am also a little confused because
http://releases.turnkeylinux.org/turnkey-redmine/12.0-squeeze-x86/turnke... suggests I should have rails version 2.3.14 installed. However when I query the system :
root@ahost /etc# cat turnkey_version turnkey-redmine-12.0-squeeze-x86
The rails package details are given as :
root@ahost /etc# apt-cache show rails
Package: rails
Version: 2.3.5-1.2+squeeze6
Installed-Size: 60
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Architecture: all
Depends: rails-ruby1.8
Description: MVC ruby based framework geared for web application development
Rails is a full-stack, open-source web framework in Ruby for writing
real-world applications.
.
Being a full-stack framework means that all layers are built to work
seamlessly together. That way you don't repeat yourself and you can
use a single language from top to bottom. Everything from templates to
control flow to business logic is written in Ruby.
.
This is an empty dependency package.
Homepage: http://rubyonrails.com
Section: web
Priority: optional
Filename: pool/updates/main/r/rails/rails_2.3.5-1.2+squeeze6_all.deb
Size: 12418
MD5sum: a441c73c5408d9fc4c433eec925f1854
SHA1: 2d29def2b25c7702f6cfc9b913efef3566487e25
SHA256: 4616a8a5e90c39850f0e5b664014803304a1407949e6ca09611397a12b29e9ba
Package: rails
Priority: optional
Section: ruby
Installed-Size: 60
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Architecture: all
Version: 2.3.5-1.2+squeeze3
Depends: rails-ruby1.8
Filename: pool/main/r/rails/rails_2.3.5-1.2+squeeze3_all.deb
Size: 12124
MD5sum: 2c29d5741679b83245a536859f09b879
SHA1: 62b09e1607b54b9e81083936900d168254beeb30
SHA256: 0d1ae7001cc5c56267ecd7085c6c14609716e3562e37df8c5b4f58b0f74ad237
Description: MVC ruby based framework geared for web application development
Rails is a full-stack, open-source web framework in Ruby for writing
real-world applications.
.
Being a full-stack framework means that all layers are built to work
seamlessly together. That way you don't repeat yourself and you can
use a single language from top to bottom. Everything from templates to
control flow to business logic is written in Ruby.
.
This is an empty dependency package.
Homepage: http://rubyonrails.com
Tag: devel::{code-generator,lang:ruby,lang:sql,web}, implemented-in::ruby, interface::web, protocol::http, role::devel-lib, scope::suite, web::application, works-with::db, works-with-format::html
coming from repo :
root@ahost /etc# apt-cache policy rails
rails:
Installed: (none)
Candidate: 2.3.5-1.2+squeeze6
Version table:
2.3.5-1.2+squeeze6 0
500 http://security.debian.org/ squeeze/updates/main i386 Packages
2.3.5-1.2+squeeze3 0
500 http://ftp.debian.org/debian/ squeeze/main i386 Packages
cron-apt has been runing :
CRON-APT RUN [/etc/cron-apt/config]: Fri Feb 1 11:34:01 UTC 2013 CRON-APT SLEEP: 2488, Fri Feb 1 12:15:31 UTC 2013 CRON-APT ACTION: 0-update CRON-APT LINE: /usr/bin/apt-get update -o quiet=2 CRON-APT ACTION: 5-install CRON-APT LINE: /usr/bin/apt-get autoclean -q -y CRON-APT LINE: /usr/bin/apt-get dist-upgrade -q -y -o APT::Get::Show-Upgraded=true -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list -o Dir::Etc::sourceparts=nonexistent -o DPkg::Options::=--force-confdef -o DPkg::Options::=--force-confold CRON-APT RUN [/etc/cron-apt/config]: Fri Feb 1 17:12:53 UTC 2013 CRON-APT ACTION: 0-update CRON-APT LINE: /usr/bin/apt-get update -o quiet=2 CRON-APT ACTION: 5-install CRON-APT LINE: /usr/bin/apt-get autoclean -q -y CRON-APT LINE: /usr/bin/apt-get dist-upgrade -q -y -o APT::Get::Show-Upgraded=true -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list -o Dir::Etc::sourceparts=nonexistent -o DPkg::Options::=--force-confdef -o DPkg::Options::=--force-confold
Looks like there are no security updates recently.
I have patched using 2-3-json-parser.patch from https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security... just in case which should cover CVE-2013-0333 and added the line
ActionController::Base.param_parsers.delete(Mime::XML)
as a workaround as suggested by : http://www.redmine.org/boards/2/topics/35453.
I would appreciate any advice and feedback regarding these CVEs and any other ones for that matter. An apt-get update; apt-get upgrade seems to render my system unbootable :(
Edit : the environment.rb patch caused passenger not to start.
Edit 2: https://engineyard.zendesk.com/entries/22903718-january-8th-2013-multipl... seems to be a better workaround.
2 things...
Firstly, I'm not sure about the TKL changelog, perhaps it is a mistake? Also the manifest doesn't list rails as an included package (which generally means it is installed from upstream) - however the package you have installed is (obviously) definately from the Debian repos...
Secondly, the package you have (2.3.5-1.2+squeeze6) should already include the security bug backported patches that you link to. So there is no need to apply your own patches.
I quote from https://security-tracker.debian.org/tracker/source-package/rails
So there should be no need to worry... :)
Many thanks for the info on
Many thanks for the info on the packages updates.
I have scanned a non-patched instance using the https://www.tinfoilsecurity.com/railscheck as suggested and discussed on http://news.ycombinator.com/item?id=5153557 and it seems there is indeed no need to worry ! Thank you.
Add new comment