New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump ruby to 3.2.2 due to ReDoS vulnerabilities #24320
Conversation
Line 5 in 68a192e
|
see also mastodon/documentation#1194 |
rbenv doesn't yet know about it. Just released. |
Excellent to hear as well.. those included JIT fixes should solve other problems. Waiting on moritzheiber/ruby-jemalloc-docker#7 |
This is also waiting on ruby/setup-ruby#491 |
All of the images are available now. If you re-trigger the pipeline(s) they should come back as green. |
I think at the very least, the |
Ah, sorry, I didn't check on the changes, yes, that's true. |
@saizai can you update the PR with the new docker image? |
Done. |
Thanks |
CVE-2023-28755: ReDoS vulnerability in URI Note: other tags may need to be security patched as well. I have not attempted to patch them as I don't know how you handle security fixes of noncurrent versions. I suggest that Mastodon periodically check, and notify admin, if
Per CVEs and Ruby release notes, vulnerable and upgrade set are:
Current Mastodon versions affected:
|
@ClearlyClaire For your convenience I've created separate PRs for stable-4.1, stable-4.0, and stable-3.5, changing just the ruby version (to 3.0.6 on each), Mastodon version (to 4.1.2, 4.0.4, 3.5.7 respectively), and changelog. N.b. v4.1.1 uses ruby 3.0.4, not 3.2.x; it's behind 841263a bump to 3.0.5 and fb8503e bump to 3.2.1. I have not verified that they work — just bumped the 3.5's docker-compose depends on a ghcr.io image, which I don't know how you do without circular dependency, but I just copied what you did in 547634d Did this in GitHub editor rather than actually cherry-picking the commits to main / patch-1, so they're different commits, but hopefully that's okay as combining those with this (main) patch should be a nop merge. |
rbenv should now know about the updated versions via rbenv/ruby-build@c0c7b81, released yesterday Dockerfile actually working for main and stable-4.1 is still pending ruby/setup-ruby#491, which is why the CI is failing with AFAICT that shouldn't block stable-4.0 or stable-3.5, which don't seem to use setup-ruby. |
setup-ruby pushed the updates 10m ago. ruby/setup-ruby@904f3fe Should be good to go if it passes CI. |
Re-running CI. As for the branches, the PRs are welcome, but we'll not merge them as-is as backport releases are already in preparation. |
[2.7 is deprecated past security patch support.](https://www.ruby-lang.org/en/news/2023/03/30/ruby-2-7-8-released/). See mastodon#24320 (comment)
https://www.ruby-lang.org/en/news/2023/03/30/ruby-3-2-2-released/