Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)

Created by: zombified

I'm not terribly familiar with Ruby/Rails, so I have a few questions for those that are more knowledgeable:

1. Does this CVE affect the current stable version (4.0) of Gitlab?
2. If it does affect the version, how can it be patched (or the ruby/rails version updated) until an official fix is in place?

Here's the notice: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

Thank you for your help!

Created by: riyad

@randx @vsizov we should update Rails to 3.2.11 and ship GitLab 4.0.1

By Administrator on 2013-01-09T15:37:52 (imported from GitLab)

Created by: vsizov

we have many changes for now. Maybe we should create branch based on 4.0.0 and create corresponding tag?!

By Administrator on 2013-01-09T16:14:42 (imported from GitLab)

Created by: riyad

@vsizov we already have a 4-0-stable branch. We may need to backport some fixes from master and then ship it. Especially because of the above vulnerability.

By Administrator on 2013-01-09T16:22:52 (imported from GitLab)

Created by: zombified

You've probably already seen it, but I also felt I should mention that the fix seems to introduce another issue: https://github.com/rails/rails/issues/8832

Would this affect Gitlab at all?

By Administrator on 2013-01-09T17:13:21 (imported from GitLab)

Created by: dvanduzer

Updating Rails to 3.2.11 doesn't trip any of the automatic tests to fail, but that doesn't necessarily guarantee https://github.com/rails/rails/issues/8832 isn't problematic.

Works For Me™ as well as the test suite.

By Administrator on 2013-01-09T18:07:24 (imported from GitLab)