Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump ruby to 3.2.2 due to ReDoS vulnerabilities #24320

Merged
merged 2 commits into from Mar 31, 2023

Conversation

saizai
Copy link
Contributor

@saizai saizai commented Mar 30, 2023

@nschonni
Copy link
Contributor

FROM ghcr.io/moritzheiber/ruby-jemalloc:3.2.1-slim as ruby
should probably be updated to match, but I'm not sure if that image has been built yet

@saizai
Copy link
Contributor Author

saizai commented Mar 30, 2023

see also mastodon/documentation#1194

@saizai
Copy link
Contributor Author

saizai commented Mar 30, 2023

FROM ghcr.io/moritzheiber/ruby-jemalloc:3.2.1-slim as ruby

should probably be updated to match, but I'm not sure if that image has been built yet

rbenv doesn't yet know about it. Just released.

@saizai saizai changed the title Bump to 3.2.2 due to ReDoS vulnerabilities Bump ruby to 3.2.2 due to ReDoS vulnerabilities Mar 30, 2023
@shleeable
Copy link
Contributor

shleeable commented Mar 31, 2023

Excellent to hear as well.. those included JIT fixes should solve other problems.

Waiting on moritzheiber/ruby-jemalloc-docker#7

@ClearlyClaire
Copy link
Contributor

This is also waiting on ruby/setup-ruby#491

@moritzheiber
Copy link
Member

All of the images are available now. If you re-trigger the pipeline(s) they should come back as green.

@ClearlyClaire
Copy link
Contributor

All of the images are available now. If you re-trigger the pipeline(s) they should come back as green.

I think at the very least, the Dockerfile needs to be changed as pointed out earlier.

@moritzheiber
Copy link
Member

Ah, sorry, I didn't check on the changes, yes, that's true.

@ClearlyClaire
Copy link
Contributor

@saizai can you update the PR with the new docker image?

@saizai
Copy link
Contributor Author

saizai commented Mar 31, 2023

@saizai can you update the PR with the new docker image?

Done.

@shleeable
Copy link
Contributor

Thanks

@saizai
Copy link
Contributor Author

saizai commented Mar 31, 2023

CVE-2023-28755: ReDoS vulnerability in URI
CVE-2023-28756: ReDoS vulnerability in Time

Note: other tags may need to be security patched as well. I have not attempted to patch them as I don't know how you handle security fixes of noncurrent versions.

I suggest that Mastodon periodically check, and notify admin, if

  • GitHub mastodon has non-RC minor or major tag greater than current deployed tag
  • ruby it's running as, and/or rbenv ruby (which might be different and e.g. be source of gems) does not match local .ruby-version — cf. change to point at current .ruby-version documentation#1194; current docs instruct to install Ruby 3.0.4, which predates 841263a (2023-02-13, bumping ruby to 3.0.5); releases v3.5.7, v4.0.3, v4.1.1 postdate that commit but AFAICT don't include it
  • there are un-run migrations in local db/migrate
  • gem versions don't match local Gemfile.lock, e.g. admin didn't run bundle update

Per CVEs and Ruby release notes, vulnerable and upgrade set are:

Current Mastodon versions affected:

@saizai
Copy link
Contributor Author

saizai commented Mar 31, 2023

@ClearlyClaire For your convenience I've created separate PRs for stable-4.1, stable-4.0, and stable-3.5, changing just the ruby version (to 3.0.6 on each), Mastodon version (to 4.1.2, 4.0.4, 3.5.7 respectively), and changelog.

N.b. v4.1.1 uses ruby 3.0.4, not 3.2.x; it's behind 841263a bump to 3.0.5 and fb8503e bump to 3.2.1.

I have not verified that they work — just bumped the Dockerfile, .ruby-version, docker-compose.yml (on 3.5), lib/mastodon/version.rb, and CHANGELOG.md based on your previous version bumps and the two ruby version changes. I have not changed Gemfile.lock, but unless a gem breaks between 3.0.3/3.0.4 and 3.0.6, that should be fine, as I made no Gemfile changes.

3.5's docker-compose depends on a ghcr.io image, which I don't know how you do without circular dependency, but I just copied what you did in 547634d

Did this in GitHub editor rather than actually cherry-picking the commits to main / patch-1, so they're different commits, but hopefully that's okay as combining those with this (main) patch should be a nop merge.

@saizai
Copy link
Contributor Author

saizai commented Mar 31, 2023

rbenv should now know about the updated versions via rbenv/ruby-build@c0c7b81, released yesterday

Dockerfile actually working for main and stable-4.1 is still pending ruby/setup-ruby#491, which is why the CI is failing with Error: Error: Unknown version 3.2.2 for ruby on ubuntu-22.04.

AFAICT that shouldn't block stable-4.0 or stable-3.5, which don't seem to use setup-ruby.

@saizai
Copy link
Contributor Author

saizai commented Mar 31, 2023

setup-ruby pushed the updates 10m ago. ruby/setup-ruby@904f3fe

Should be good to go if it passes CI.

@ClearlyClaire
Copy link
Contributor

Re-running CI. As for the branches, the PRs are welcome, but we'll not merge them as-is as backport releases are already in preparation.

saizai added a commit to saizai/mastodon that referenced this pull request Mar 31, 2023
@ClearlyClaire ClearlyClaire merged commit f318f1e into mastodon:main Mar 31, 2023
30 checks passed
@saizai saizai deleted the patch-1 branch March 31, 2023 16:37
arachnist pushed a commit to arachnist/mastodon that referenced this pull request Apr 4, 2023
skerit pushed a commit to 11ways/mastodon that referenced this pull request Jul 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants