[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rails update

Hi,

On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
> Hi,
> 
> On 06/07/2020 09:55, Pirate Praveen wrote:
> > On 2020, ജൂലൈ 6 1:09:09 PM IST, Sylvain Beucler <beuc@beuc.net> wrote:
> >> On 30/06/2020 22:38, Salvatore Bonaccorso wrote:
> >>> On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote:
> >>>> On 25/06/2020 18:20, Sylvain Beucler wrote:
> >>>>> On 22/06/2020 13:23, Sylvain Beucler wrote:
> >>>>>> On 22/06/2020 11:56, Utkarsh Gupta wrote:
> >>>>>>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <beuc@beuc.net> wrote:
> >>>>>>>> Hmm, are you the only active maintainer for rails?
> >>>>>>>
> >>>>>>> There are 3 maintainers. CC'ed rails@p.d.o.
> >>>>>>> However, since you have already worked on preparing the fix for
> >>>>>>> Jessie, it's much easier on your part to do it for Stretch and Buster.
> >>>>>>> But that's volunteer work :)
> >>>>>>>
> >>>>>>> If you don't want to work, don't :)
> >>>>>>
> >>>>>> For rails@d.p.o's info, I explained at:
> >>>>>> https://lists.debian.org/debian-lts/2020/06/msg00063.html
> >>>>>> that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at:
> >>>>>> https://www.beuc.net/tmp/debian-lts/rails/
> >>>>>>
> >>>>>> However the buster version (5.2.2.1) is affected by a different set of
> >>>>>> vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently
> >>>>>> the update causes new issues.
> >>>>>>
> >>>>>> That's why I think it'd make more sense for the rails maintainers to
> >>>>>> backport the latest bullseye update.
> >>>>>>
> >>>>>> Let me know what you plan to do.
> >>>>>>
> >>>>>>>> Which security update broke what, exactly?
> >>>>>>>
> >>>>>>> The latest security update from 5.2.4.2 to 5.2.4.3, which contained
> >>>>>>> fixes for CVE-2020-816{2,4,5,6,7}.
> >>>>>>> JavaScript bundle generation for Activestorage didn't work w/o that
> >>>>>>> patch. We had to switch to node-babel7 for that.
> >>>>>>
> >>>>>> I updated
> >>>>>> https://wiki.debian.org/LTS/TestSuites/rails
> >>>>>> accordingly.
> >>>>>>
> >>>>>> The stretch updates passes this new test.
> >>>>>>
> >>>>>> (Though in this particular case it may have just been due to node-babel
> >>>>>> changes in unstable since March, e.g. babel7 is pulled through
> >>>>>> node-regenerator-transform.)
> >>>>>
> >>>>> Status update: jessie and stretch are affected by new important
> >>>>> CVE-2020-8163.
> >>>>> buster and above not affected.
> >>>>> Currently waiting for upstream's feedback on a second regression, then
> >>>>> I'll prepare an update for jessie & stretch.
> >>>>
> >>>> https://www.beuc.net/tmp/debian-lts/rails/ is updated.
> >>>>
> >>>> Upstream showed little care for 4.x and I don't expect further feedback,
> >>>> so I went ahead and backported:
> >>>> https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f
> >>>> to fix the regression, including tests.
> >>>>
> >>>> Rationale at:
> >>>> https://github.com/rails/rails/issues/39301#issuecomment-648885623
> >>>>
> >>>> Note: redmine/stretch (< 3.4) was not affected by the regression.
> >>>
> >>> Attaching the debdiff for reference. The changes looks good to me, but
> >>> I defintively would like to see a second pair of eyes here from the
> >>> rails maintainers, in particular for CVE-2020-8163, Utkarsh?
> >>>
> >>> There is no lost work, but if we want to release a rails update for
> >>> stretch (before it moves to LTS), we should try to get as well a rails
> >>> update beeing prepared for buster, Utkarsh you indicated lack of time
> >>> currently, any one other up from the rails maintainers?
> 
> 
> Back to the initial topic, the current tasks underway are:
> 
> 
> - stretch update review
> 
> The update is ready:
> https://www.beuc.net/tmp/debian-lts/rails/
> 
> It includes an additional regression fix for CVE-2020-8163.
> https://security-tracker.debian.org/tracker/CVE-2020-8163
> 
> I requested upstream feedback but given that 4.x is EOL so far no luck.
> https://github.com/rails/rails/issues/39301#issuecomment-648885623
> https://github.com/rails/rails/pull/39806
> 
> Hence we called for a review from a Ruby/Rails-savvy DD.
> (stretch moved from oldstable->LTS meanwhile, but the review would still
> be appreciated)
> Anyone up?
> 
> 
> - buster update
> 
> I now "up-ported" my stretch work at:
> https://www.beuc.net/tmp/debian-lts/rails-buster/
> + added the redis side of CVE-2020-8165
> 
> I believe I would do a disservice to the community if I did a one-time
> update masking possible problems with long-term maintenance, so I'm
> leaving the other CVEs to fix
> (cf. https://security-tracker.debian.org/tracker/source-package/rails)

I looked briefly at both updates, and the new patches included in them
look sane and reasonable.

Attachment: signature.asc
Description: PGP signature

Reply to: