Re: rails update

To: debian-ruby@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: rails update
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 8 Jul 2020 12:45:08 +0200
Message-id: <[🔎] 14e0c51a-7341-bc29-7d9c-0600a0154d64@beuc.net>
In-reply-to: <[🔎] 9FC31F14-6432-4B28-8513-F22623028A76@onenetbeyond.org>
References: <20200619094006.GA1126775@eldamar.local> <CAPP0f95JEBSUKAk7So5spgoA0oAc0uv7Y7nepfkMpe52GcxXHQ@mail.gmail.com> <CAPP0f95wpEk42ZvBWn6Bx-jOWd9_CT5q21GM35c1e6TH58_dZw@mail.gmail.com> <a05e49b9-c119-ed40-6090-d00419f6819c@beuc.net> <CAPP0f94Xo6EXMYW36TPDEZAkd_dRe9=LB5rcHx69-vD=tVYEcQ@mail.gmail.com> <d1871be0-9720-4b5f-584a-e235de8cae03@beuc.net> <CAPP0f94+5=t=_yVJTK0vpkGGaHjvAZEOQdHUc9i9q6Rt=n+Z+Q@mail.gmail.com> <88277ac1-d2a3-cc90-c448-e8edfcc83562@beuc.net> <8676b38f-ba23-17a6-2fa6-2e26c9de0df0@beuc.net> <a1d12d8f-01e4-f290-59f6-c8e4d0dff833@beuc.net> <20200630203842.GA370369@eldamar.local> <[🔎] ef824695-bcca-ad2d-17eb-8b9c0db79135@beuc.net> <[🔎] 9FC31F14-6432-4B28-8513-F22623028A76@onenetbeyond.org>

Hi,

On 06/07/2020 09:55, Pirate Praveen wrote:
> On 2020, ജൂലൈ 6 1:09:09 PM IST, Sylvain Beucler <beuc@beuc.net> wrote:
>> On 30/06/2020 22:38, Salvatore Bonaccorso wrote:
>>> On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote:
>>>> On 25/06/2020 18:20, Sylvain Beucler wrote:
>>>>> On 22/06/2020 13:23, Sylvain Beucler wrote:
>>>>>> On 22/06/2020 11:56, Utkarsh Gupta wrote:
>>>>>>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <beuc@beuc.net> wrote:
>>>>>>>> Hmm, are you the only active maintainer for rails?
>>>>>>>
>>>>>>> There are 3 maintainers. CC'ed rails@p.d.o.
>>>>>>> However, since you have already worked on preparing the fix for
>>>>>>> Jessie, it's much easier on your part to do it for Stretch and Buster.
>>>>>>> But that's volunteer work :)
>>>>>>>
>>>>>>> If you don't want to work, don't :)
>>>>>>
>>>>>> For rails@d.p.o's info, I explained at:
>>>>>> https://lists.debian.org/debian-lts/2020/06/msg00063.html
>>>>>> that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at:
>>>>>> https://www.beuc.net/tmp/debian-lts/rails/
>>>>>>
>>>>>> However the buster version (5.2.2.1) is affected by a different set of
>>>>>> vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently
>>>>>> the update causes new issues.
>>>>>>
>>>>>> That's why I think it'd make more sense for the rails maintainers to
>>>>>> backport the latest bullseye update.
>>>>>>
>>>>>> Let me know what you plan to do.
>>>>>>
>>>>>>>> Which security update broke what, exactly?
>>>>>>>
>>>>>>> The latest security update from 5.2.4.2 to 5.2.4.3, which contained
>>>>>>> fixes for CVE-2020-816{2,4,5,6,7}.
>>>>>>> JavaScript bundle generation for Activestorage didn't work w/o that
>>>>>>> patch. We had to switch to node-babel7 for that.
>>>>>>
>>>>>> I updated
>>>>>> https://wiki.debian.org/LTS/TestSuites/rails
>>>>>> accordingly.
>>>>>>
>>>>>> The stretch updates passes this new test.
>>>>>>
>>>>>> (Though in this particular case it may have just been due to node-babel
>>>>>> changes in unstable since March, e.g. babel7 is pulled through
>>>>>> node-regenerator-transform.)
>>>>>
>>>>> Status update: jessie and stretch are affected by new important
>>>>> CVE-2020-8163.
>>>>> buster and above not affected.
>>>>> Currently waiting for upstream's feedback on a second regression, then
>>>>> I'll prepare an update for jessie & stretch.
>>>>
>>>> https://www.beuc.net/tmp/debian-lts/rails/ is updated.
>>>>
>>>> Upstream showed little care for 4.x and I don't expect further feedback,
>>>> so I went ahead and backported:
>>>> https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f
>>>> to fix the regression, including tests.
>>>>
>>>> Rationale at:
>>>> https://github.com/rails/rails/issues/39301#issuecomment-648885623
>>>>
>>>> Note: redmine/stretch (< 3.4) was not affected by the regression.
>>>
>>> Attaching the debdiff for reference. The changes looks good to me, but
>>> I defintively would like to see a second pair of eyes here from the
>>> rails maintainers, in particular for CVE-2020-8163, Utkarsh?
>>>
>>> There is no lost work, but if we want to release a rails update for
>>> stretch (before it moves to LTS), we should try to get as well a rails
>>> update beeing prepared for buster, Utkarsh you indicated lack of time
>>> currently, any one other up from the rails maintainers?


Back to the initial topic, the current tasks underway are:


- stretch update review

The update is ready:
https://www.beuc.net/tmp/debian-lts/rails/

It includes an additional regression fix for CVE-2020-8163.
https://security-tracker.debian.org/tracker/CVE-2020-8163

I requested upstream feedback but given that 4.x is EOL so far no luck.
https://github.com/rails/rails/issues/39301#issuecomment-648885623
https://github.com/rails/rails/pull/39806

Hence we called for a review from a Ruby/Rails-savvy DD.
(stretch moved from oldstable->LTS meanwhile, but the review would still
be appreciated)
Anyone up?


- buster update

I now "up-ported" my stretch work at:
https://www.beuc.net/tmp/debian-lts/rails-buster/
+ added the redis side of CVE-2020-8165

I believe I would do a disservice to the community if I did a one-time
update masking possible problems with long-term maintenance, so I'm
leaving the other CVEs to fix
(cf. https://security-tracker.debian.org/tracker/source-package/rails)


Cheers!
Sylvain Beucler
Debian LTS Team

Reply to:

Follow-Ups:
- Re: rails update
  - From: terceiro@debian.org
- Re: rails update
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- Re: rails update
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: rails update
  - From: Pirate Praveen <praveen@onenetbeyond.org>

Prev by Date: Re: Fixes for CVE-2020-13696 (#962221)
Next by Date: Re: DLA template and user signatures
Previous by thread: Re: rails update
Next by thread: Re: rails update
Index(es):
- Date
- Thread