Since the recent critical security issues with Rails and the subsequent releases to fix them, how can I most easily upgrade my redmine installation to avoid it becoming compromised? As I understand it, I only need to upgrade rails. But that doesn't seem to be straightforward:
I'm relatively sure that I installed redmine by using webfaction's automated installer, and it's a Rails app, but where does Rails come from? Is it using some system-wide Rails install which has already been patched? (I can't tell because there's no If it is using some local and hence still vulnerable version of Rails, how do I go about upgrading it? asked 09 Feb '13, 22:15 cgk |
Rails is not system-wide; it's installed into your application and each separate rails or redmine application will have its own independent rails. That means you do want to upgrade.
Our standard Rails one-click installers are now fully updated, and we're currently working on upgrading our Redmine installers as well, which we hope to have finished in a few days.
It may be simpler to wait until our new installers are released, and then deploy the redmine content into the newly-installed redmine app. Rails has a lot of dependencies; upgrading it in-place is possible, but you will need to spend time tracing all of the dependencies.
Is there some way I can be notified when the updated redmine installers are available?
@cgk The new Redmine installer is now available.