WebFaction
Community site: login faq

Since the recent critical security issues with Rails and the subsequent releases to fix them, how can I most easily upgrade my redmine installation to avoid it becoming compromised?

As I understand it, I only need to upgrade rails. But that doesn't seem to be straightforward:

[cgk@web186 redmine]$ which gem
~/webapps/redmine/bin/gem
[cgk@web186 redmine]$ gem update rails
Updating installed gems
Nothing to update
[cgk@web186 redmine]$ gem list

*** LOCAL GEMS ***

bundler (1.2.3)
daemon_controller (0.2.6)
edavis10-object_daddy (0.4.3)
fastthread (1.0.7)
i18n (0.4.2)
metaclass (0.0.1)
mocha (0.10.3)
mysql (2.8.1)
passenger (3.0.9)
rack (1.3.2, 1.1.0)
rake (10.0.3, 0.9.2)
rdoc (2.4.2)
rubygems-update (1.8.24, 1.5.3)
shoulda (2.10.3)
sqlite3 (1.3.5)
sqlite3-ruby (1.3.3)
svn2git (2.1.2)

I'm relatively sure that I installed redmine by using webfaction's automated installer, and it's a Rails app, but where does Rails come from? Is it using some system-wide Rails install which has already been patched? (I can't tell because there's no rails command in my path)

If it is using some local and hence still vulnerable version of Rails, how do I go about upgrading it?

asked 09 Feb '13, 22:15

cgk's gravatar image

cgk
113
accept rate: 0%

edited 09 Feb '13, 22:15

1

Rails is not system-wide; it's installed into your application and each separate rails or redmine application will have its own independent rails. That means you do want to upgrade.

Our standard Rails one-click installers are now fully updated, and we're currently working on upgrading our Redmine installers as well, which we hope to have finished in a few days.

It may be simpler to wait until our new installers are released, and then deploy the redmine content into the newly-installed redmine app. Rails has a lot of dependencies; upgrading it in-place is possible, but you will need to spend time tracing all of the dependencies.

(09 Feb '13, 23:46) ryans ♦♦ ryans's gravatar image

Is there some way I can be notified when the updated redmine installers are available?

(11 Feb '13, 18:01) cgk cgk's gravatar image

@cgk The new Redmine installer is now available.

(11 Feb '13, 21:36) waynek waynek's gravatar image
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×105
×46

question asked: 09 Feb '13, 22:15

question was seen: 1,649 times

last updated: 11 Feb '13, 21:36

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2017 PARAGON INTERNET GROUP LIMITED
WEBFACTION IS A SERVICE OF PARAGON INTERNET GROUP LIMITED
REGISTERED IN ENGLAND AND WALES 7573953 - VAT REGISTRATION NUMBER 182147021
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM