Gitorious 2.4.5 has been released

Gitorious 2.4.5 has just been released, and all Gitorious servers should be updated immediately. This release brings Gitorious up to Rails version 2.3.15, which solves a severe vulnerability in Ruby on Rails. There’s more information about this vulnerability on the Ruby on Rails security mailing list.

To upgrade to this version, follow one of the three following alternative fixes

If you’re running from a release in the 2.4 branch of Gitorious:

To upgrade a server running one of the releases in the 2.4 series of Gitorious, follow these steps:

  • git fetch origin 
  • git merge v2.4.5
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running from the next branch of Gitorious (Rails 3):

The next branch of Gitorious has also been upgraded. For servers running from the next branch you should:

  • git pull git://gitorious.org/gitorious/mainline.git next
  • bundle install
  • restart you application server

If you’re running neither of the versions above:

If your server is not running from a version that can be upgraded, you can secure your server by following these manual steps

  • create the file config/initializers/fix_cve_2013_0156.rb inside your Gitorious installation with this content:
ActionController::Base.param_parsers.delete(Mime::XML)
  • restart your application server

2 Comments

  1. eviljoel
    Posted January 11, 2013 at 12:39 pm | Permalink

    Does this version address both CVE-2013-0155 and CVE-2013-0156 or just CVE-2013-0155 (the one you linked to). Thanks you.

  2. Marius Mathiesen
    Posted January 11, 2013 at 1:39 pm | Permalink

    @eviljoel: Both. 0155 is a Rails3-only vulnerability which is handled by the Rails update.

    This means that the manual patch suggested is irrelevant, as that applies to Rails 3 only.


Follow

Get every new post delivered to your Inbox.

Join 845 other followers

%d bloggers like this: