Tom's picture

Does anyone aware of an upgrade path for rails 2.3.14 on tkl/redmine 12.0 ?

I ask because of the CVEs detailed here :

http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-...

http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-bee...

http://www.redmine.org/boards/2/topics/35453

I am also a little confused because

http://releases.turnkeylinux.org/turnkey-redmine/12.0-squeeze-x86/turnke... suggests I should have rails version 2.3.14 installed. However when I query the system :

root@ahost /etc# cat turnkey_version
turnkey-redmine-12.0-squeeze-x86

The rails package details are given as :

root@ahost /etc# apt-cache show rails
Package: rails
Version: 2.3.5-1.2+squeeze6
Installed-Size: 60
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Architecture: all
Depends: rails-ruby1.8
Description: MVC ruby based framework geared for web application development
 Rails is a full-stack, open-source web framework in Ruby for writing
 real-world applications.
 .
 Being a full-stack framework means that all layers are built to work
 seamlessly together. That way you don't repeat yourself and you can
 use a single language from top to bottom. Everything from templates to
 control flow to business logic is written in Ruby.
 .
 This is an empty dependency package.
Homepage: http://rubyonrails.com
Section: web
Priority: optional
Filename: pool/updates/main/r/rails/rails_2.3.5-1.2+squeeze6_all.deb
Size: 12418
MD5sum: a441c73c5408d9fc4c433eec925f1854
SHA1: 2d29def2b25c7702f6cfc9b913efef3566487e25
SHA256: 4616a8a5e90c39850f0e5b664014803304a1407949e6ca09611397a12b29e9ba

Package: rails
Priority: optional
Section: ruby
Installed-Size: 60
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Architecture: all
Version: 2.3.5-1.2+squeeze3
Depends: rails-ruby1.8
Filename: pool/main/r/rails/rails_2.3.5-1.2+squeeze3_all.deb
Size: 12124
MD5sum: 2c29d5741679b83245a536859f09b879
SHA1: 62b09e1607b54b9e81083936900d168254beeb30
SHA256: 0d1ae7001cc5c56267ecd7085c6c14609716e3562e37df8c5b4f58b0f74ad237
Description: MVC ruby based framework geared for web application development
 Rails is a full-stack, open-source web framework in Ruby for writing
 real-world applications.
 .
 Being a full-stack framework means that all layers are built to work
 seamlessly together. That way you don't repeat yourself and you can
 use a single language from top to bottom. Everything from templates to
 control flow to business logic is written in Ruby.
 .
 This is an empty dependency package.
Homepage: http://rubyonrails.com
Tag: devel::{code-generator,lang:ruby,lang:sql,web}, implemented-in::ruby, interface::web, protocol::http, role::devel-lib, scope::suite, web::application, works-with::db, works-with-format::html

coming from repo :

root@ahost /etc# apt-cache policy rails
rails:
  Installed: (none)
  Candidate: 2.3.5-1.2+squeeze6
  Version table:
     2.3.5-1.2+squeeze6 0
        500 http://security.debian.org/ squeeze/updates/main i386 Packages
     2.3.5-1.2+squeeze3 0
        500 http://ftp.debian.org/debian/ squeeze/main i386 Packages

cron-apt has been runing :

CRON-APT RUN [/etc/cron-apt/config]: Fri Feb  1 11:34:01 UTC 2013
CRON-APT SLEEP: 2488, Fri Feb  1 12:15:31 UTC 2013
CRON-APT ACTION: 0-update
CRON-APT LINE: /usr/bin/apt-get update -o quiet=2
CRON-APT ACTION: 5-install
CRON-APT LINE: /usr/bin/apt-get autoclean -q -y
CRON-APT LINE: /usr/bin/apt-get dist-upgrade -q -y -o APT::Get::Show-Upgraded=true -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list -o Dir::Etc::sourceparts=nonexistent -o DPkg::Options::=--force-confdef -o DPkg::Options::=--force-confold
CRON-APT RUN [/etc/cron-apt/config]: Fri Feb  1 17:12:53 UTC 2013
CRON-APT ACTION: 0-update
CRON-APT LINE: /usr/bin/apt-get update -o quiet=2
CRON-APT ACTION: 5-install
CRON-APT LINE: /usr/bin/apt-get autoclean -q -y
CRON-APT LINE: /usr/bin/apt-get dist-upgrade -q -y -o APT::Get::Show-Upgraded=true -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list -o Dir::Etc::sourceparts=nonexistent -o DPkg::Options::=--force-confdef -o DPkg::Options::=--force-confold

Looks like there are no security updates recently.

I have patched using 2-3-json-parser.patch  from https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security... just in case which should cover CVE-2013-0333 and added the line

ActionController::Base.param_parsers.delete(Mime::XML)

as a workaround as suggested by : http://www.redmine.org/boards/2/topics/35453.

I would appreciate any advice and feedback regarding these CVEs and any other ones for that matter. An apt-get update; apt-get upgrade seems to render my system unbootable :(

 

Edit : the environment.rb patch caused passenger not to start.

Edit 2: https://engineyard.zendesk.com/entries/22903718-january-8th-2013-multipl... seems to be a better workaround.

Forum: 
Jeremy Davis's picture

Firstly, I'm not sure about the TKL changelog, perhaps it is a mistake? Also the manifest doesn't list rails as an included package (which generally means it is installed from upstream) - however the package you have installed is (obviously) definately from the Debian repos...

Secondly, the package you have (2.3.5-1.2+squeeze6) should already include the security bug backported patches that you link to. So there is no need to apply your own patches.

I quote from https://security-tracker.debian.org/tracker/source-package/rails

Resolved issues
...
CVE-2013-0155 Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x ...
CVE-2013-0156 active_support/core_ext/hash/conversions.rb in Ruby on Rails before ...
CVE-2013-0333 lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before ...

So there should be no need to worry... :)

Tom's picture

Many thanks for the info on the packages updates.

I have scanned a non-patched instance using the https://www.tinfoilsecurity.com/railscheck as suggested and discussed on http://news.ycombinator.com/item?id=5153557 and it seems there is indeed no need to worry ! Thank you.


Add new comment