Skip to content
This repository

Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156) #2526

Closed
zombified opened this Issue January 09, 2013 · 5 comments

4 participants

Joel Kleier Riyad Preukschas Valeriy Sizov David Van Duzer
Joel Kleier

I'm not terribly familiar with Ruby/Rails, so I have a few questions for those that are more knowledgeable:

  1. Does this CVE affect the current stable version (4.0) of Gitlab?
  2. If it does affect the version, how can it be patched (or the ruby/rails version updated) until an official fix is in place?

Here's the notice: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

Thank you for your help!

Riyad Preukschas
Collaborator

@randx @vsizov we should update Rails to 3.2.11 and ship GitLab 4.0.1

Valeriy Sizov

we have many changes for now. Maybe we should create branch based on 4.0.0 and create corresponding tag?!

Riyad Preukschas
Collaborator

@vsizov we already have a 4-0-stable branch. We may need to backport some fixes from master and then ship it. Especially because of the above vulnerability.

Joel Kleier

You've probably already seen it, but I also felt I should mention that the fix seems to introduce another issue: rails/rails#8832

Would this affect Gitlab at all?

David Van Duzer

Updating Rails to 3.2.11 doesn't trip any of the automatic tests to fail, but that doesn't necessarily guarantee rails/rails#8832 isn't problematic.

Works For Me™ as well as the test suite.

Riyad Preukschas riyad closed this January 09, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.