Ruby 3.0.2, 2.7.4, and 2.6.8 are security releases that fix 3 CVEs

[pboling]

They were released on July 7, 2021.

These do not seem to be included in the relevant docker images @ latest, despite recent updates to them.

https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/

The 3 fixed CVEs: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/ https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/

Upgrading is important!

[CamJN]

You're free to open a PR

[pboling]

I am able to, but I won't. Mostly because it doesn't seem that the @phusion team cares, or understands how this project is used. As a result I am working on switching to puma.

I don't recommend anyone depend on this project in production deployments, even though that is still currently my setup.

Because of ☝️ I also don't recommend anyone use Passenger. Is it a commercial product or not? Does security matter or not?

I have upgraded my deployments to the latest patch, in spite of this issue (#315), and figuring out how to do that took a few hours over 9 days during which I had a family reunion, my wedding anniversary, my mother's birthday, and my sister's birthday, and multiple flights and hotels.

I don't have time to crack open this code base. I don't have time to be vulnerable to CVEs.

[bkmgit]

@pboling Thanks for pointing these out. It is very nice for the phusion team to release open source products that the community can contribute to. They also have a channel for reporting security problems/suggestions https://www.phusionpassenger.com/contact For critical deployments, support plans are available https://www.phusionpassenger.com/support

[pboling]

It isn't nice.

It is detrimental to the community

1. It leaves people exposed to risks. Particularly small organizations, non-profits, SMEs, NGOs, etc. they often rely on open source to help them accomplish their goals, and when "corporate" open source backed tools like this turn their back on popular projects like this, (all the while using it for clout, thousands of stars, and one of only three pinned repositories) it can do real damage to organizations that get hacked thanks to unpatched CVEs. Not only are the organizations exposed but everyone who uses their services is put at risk.
2. This is an argument against using open source, not in favor of it.
3. Organizations that are trying to follow best practices, utilizing gitops and dependency upgrade automation, will be forced to choose between: a) deprioritizing the CVE fixes and waiting, potentially months, for Phusion to make a move, or b) figuring out how to work around this on their own, or in a fork, reinventing the wheel many times over. I frequently review the network tabs of open source projects and delayed dependency updates upstream are often replicated fixes across dozens of forks.
4. This is a particularly disturbing pattern with this particular repository. Last time months passed with no action on an open PR someone from the community did put time into to upgrade to a CVE patched ruby: https://github.com/phusion/passenger-docker/issues/311#issuecomment-833791191

[bkmgit]

Open source does require careful use, but unpatched CVEs are also possible in closed source code. With open, more people have a chance to check. If many people are open to risk, then maybe some amount of public funds should be set aside for maintaining and updating essential projects instead of purchasing proprietary code. There has been an attempt at this, https://fsfe.org/news/2014/news-20141219-01.en.html but more is needed. Bug bounties enable finding the CVEs you referenced in Ruby, which is open.

Have made a pull request https://github.com/phusion/passenger-docker/pull/316 - to help grow the maintaining community, a review would be helpful !

Best practices usually vary from situation to situation. Fast forced upgrades can lead to things being broken as well, so testing can be required before wide deployment. It is helpful if users contribute to this.

Searching on forks is a good idea. Maybe one can integrate this into some repository health status?

[pboling]

The latest release (phusion/passenger-ruby27:1.0.17) is not working for me. I get this error:

Your Ruby version is 2.7.3, but your Gemfile specified 2.7.4 (Bundler::RubyVersionMismatch)

I'll see if I can figure it out.

CC @bkmgit @CamJN

[CamJN]

Some ruby install scripts were left behind with the old versions, i'll make a new release to fix this.

[pboling]

FWIW, the complete workaround is:

FROM phusion/passenger-ruby27:1.0.17 as bundle

SHELL [ "/bin/bash", "-l", "-c" ]
RUN source /usr/local/rvm/scripts/rvm
RUN rvm install "ruby-2.7.4"
RUN rvm --default use "ruby-2.7.4"
ENV RACK_ENV=production
...

[CamJN]

ok new release rolling out starting now, will take some time to finish

[ledermann]

Just tried 1.0.18 to use Ruby 3.0.2, but I got this error message:

Required ruby-3.0.2 is not installed.

It seems that image/ruby-3.0.2.sh was deleted by mistake in 34d19e961c997c896c49e34c425747a7ba47fccf

[CamJN]

ugh, yup

[ledermann]

Thanks, @CamJN. With 1.0.19, using Ruby 3.0.2 works fine for me.