Home » Archives for January 2013

Month: January 2013

ChiliProject 3.6.0 released: Important Security Update!

ChiliProject 3.6.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0333) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.16, which is included in this release of ChiliProject.

This release contains 1 other bug fix and no new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.

Users of the old 2.x release branch, please check the ChiliProject 2.9.0 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.6.0

What’s included

3.6.0 contains 1 security fix for Rails and 1 bug fix. To quote the impact section from the announcement to the Rails security list:

The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends.  One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser.  Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML.

All users running an affected application should upgrade or use the workaround immediately.

The corresponding ChiliProject bugs are:

  • Bug #1216: “Only for things I watch or I’m involved in” sends notifications only for issues
  • Security – Bug #1219: Vulnerability in JSON Parser in Ruby on Rails (CVE-2013-0333)

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 2.9.0 released: Important Security Update!

ChiliProject 2.9.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0333) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.16, which is included in this release of ChiliProject.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.6.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.

Download ChiliProject 2.9.0

What’s included

2.9.0 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends.  One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser.  Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML.

All users running an affected application should upgrade or use the workaround immediately.

The corresponding ChiliProject bugs are:

  • Security – Bug #1219: Vulnerability in JSON Parser in Ruby on Rails (CVE-2013-0333)

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 3.5.1 released: Security Release

ChiliProject 3.5.1 has just been released. This release is a security release to fix a security issue of Rails (CVE-2013-0155) which allows attackers to issue unexpected database queries with IS NULL or empty where clauses. The vulnerability does not allow attackers to insert arbitrary values into an SQL query.

Additional details are available in the updated advisory of the Rails project.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we recommend that all users of ChiliProject download and install the security release as soon as possible.

Users of the old 2.x release branch, please check the ChiliProject 2.8.1 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.5.1

What’s included

3.5.1 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it.

All users running an affected release should either upgrade or use one of the work arounds immediately. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2660, and CVE-2012-2694. Even if you upgraded to address those issues, you must take action again.

The corresponding ChiliProject bug is:

  • Security – Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)

How to upgrade

Please follow the Upgrade Guide in our Wiki.

ChiliProject 2.8.1 released: Security Release

ChiliProject 2.8.1 has just been released. This release is a security release to fix a security issue of Rails (CVE-2013-0155) which allows attackers to issue unexpected database queries with IS NULL or empty where clauses. The vulnerability does not allow attackers to insert arbitrary values into an SQL query.

Additional details are available in the updated advisory of the Rails project.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 2.x and we recommend that all users of ChiliProject download and install the security release as soon as possible.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.5.1. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release as soon as possible. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 2.8.1

What’s included

2.8.1 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it.

All users running an affected release should either upgrade or use one of the work arounds immediately. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2660, and CVE-2012-2694. Even if you upgraded to address those issues, you must take action again.

The corresponding ChiliProject bug is:

  • Security – Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)

How to upgrade

Please follow the Upgrade Guide in our Wiki.

Going forward: focus

In addition to our already discussed attempt to broaden our community reach and communication, we want to bring more focus to our code and development processes. The current development team is too small to properly take care of the whole codebase of ChiliProject with all its different functions and dependencies, correct bugs, implement new features and follow the development of Ruby and Ruby on Rails all at the same time. To alleviate these problems, we’re going to focus our development on one topic or part of the ChiliProject codebase at a time, during which other things will see less or no development. We will also focus the ChiliProject codebase itself on its core functions. This will mean some hardships and probably controversial decisions in the future, but this should also lead to a cleanup of the codebase and make it more lean, lowering the barrier of entry for new developers.

Focusing the ChiliProject codebase means replacing current code with tried and tested libraries with same or similar functionality. This will obviously lead to less code that the ChiliProject team has to take care of and in most cases the use of better and better tested code than what is currently used in ChiliProject. One example is user authentication: ChiliProject currently supports authentication against the ChiliProject database or against LDAP, and keeping up with current security best practices is hard. Switching to a library like OmniAuth or Devise would not only take the authentication concern out of ChiliProject, but also opens the way to more authentication backends (CAS, OAuth, …). Focusing the ChiliProject codebase also means spinning out code currently part of the ChiliProject core to independent libraries or plugins.

Focusing our development means choosing one area of work or major feature per release we will work on. During that time we will only take care of bug fixes in other areas. Furthermore, we will discontinue support for certain features we don’t feel we have enough expertise to develop. A prime candidate for discontinuation is the CVS adapter: we don’t have any experience with CVS and hopefully nobody uses it anymore. Lastly, we will try using external services to manage some parts of ChiliProject for which manual maintenance is tedious and time-consuming. The first such part will probably the management of the translations for ChiliProject.

I will write again about the proposed changes and deprecations for ChiliProject 4 in a few days, anyone wanting to get involved in the process can read and participate in the “focus” thread and subscribe to the chiliproject-devel mailing list.

ChiliProject 3.5.0 released: Important Security Update!

ChiliProject 3.5.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0156) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.15, which is included in this release of ChiliProject.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.

Users of the old 2.x release branch, please check the ChiliProject 2.8.0 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.5.0

What’s included

3.5.0 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds immediately.

The corresponding ChiliProject bug is:

  • Security – Bug #1200: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)

This was also reported as Bug #1201 by Roger Hunwicks, thanks for that!

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 2.8.0 released: Important Security Update!

ChiliProject 2.8.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0156) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.15, which is included in this release of ChiliProject.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.5.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.

Download ChiliProject 2.8.0

What’s included

2.8.0 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds immediately.

The corresponding ChiliProject bug is:

  • Security – Bug #1200: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)

This was also reported as Bug #1201 by Roger Hunwicks, thanks for that!

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 2.7.4 released

ChiliProject 2.7.4 has just been released. This release is a security release to fix two XSS vulnerabilities (CVE-2012-3464CVE-2012-3465) and a SQL injection vulnerability (CVE-2012-5664) of Rails. All these bugs were fixed in Rails, we have included the fixes from Rails or backported them to the version of Rails ChiliProject uses right now.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.4.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.

Download ChiliProject 2.7.4

What’s included

2.7.4 includes three security fixes which were backported from ChiliProject 3.4.0.

  • Security – Bug #1113: Potential XSS Vulnerability in Ruby on Rails
  • Security – Bug #1114: XSS Vulnerability in strip_tags
  • Security – Bug #1195: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.4.0.

ChiliProject 3.4.0 released

ChiliProject 3.4.0 has just been released. It includes lots of bug fixes for ChiliProject 3.3.0 as well as 3 security fixes. It is suitable for use on production websites and we highly recommend that all users download the release as soon as possible.

Download ChiliProject 3.4.0

What’s included

3.4.0 includes 3 security fixes for Rails as well as 11 bug fixes for 3.3.0. The security fixes fix two XSS vulnerabilities (CVE-2012-3464, CVE-2012-3465) and a SQL injection vulnerability (CVE-2012-5664) of Rails.

The full list of changes:

  • Bug #904: Copy workflow doesn’t work on per-author / per-assigned modifier
  • Bug #1087: Document category is not saved properly
  • Bug #1090: List of saved queries is not accessible outside of a project
  • Bug #1111: use a monospace font in wiki-text
  • Security – Bug #1113: Potential XSS Vulnerability in Ruby on Rails
  • Security – Bug #1114: XSS Vulnerability in strip_tags
  • Bug #1118: Missing caption in file redmine.rb
  • Bug #1134: HEAD is not considered a read-only method in Redmine.pm
  • Bug #1142: Darcs repository adapter doesn’t work with newer versions (~2.5) of Darcs
  • Bug #1144: configuration.yml.example is broken
  • Bug #1188: Selecting “Current project and its subprojects” isn’t saving.
  • Bug #1194: Problems migrating from chili 2.0.0 to 3.3.0
  • Security – Bug #1195: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)
  • Bug #1197: Links to new and existing Pages in chili wikis have the same color. Thats boring.
  • Task #1192: Add a CONTRIBUTION document

Contributors to 3.4.0

  • Alf Gaida
  • Carlos Moreira
  • Felix Schäfer
  • Holger Just
  • Jean-Philippe Lang
  • Toshi MARUYAMA

Going forward: get involved!

After the dry spell we went through in the last few months, the ChiliProject Team wants to get things going again. We still want to get more people involved in ChiliProject and are looking for ways for the Team to communicate outwards but also for the Community as a whole to better communicate. We’re also going to apply more focus on the technology and code work, which will mean some hard-to-make decisions and harsh cuts, but we think those will help us make better progress now and things easier later.

On the community side of things, we’re going to try having a development and a general mailing list. This might sound like an old idea but that’s one we’ve been discussing on and off since the beginnings of ChiliProject. The biggest concern was that it will split discussions even further than they actually are, but the fact is we don’t have correctly functioning discussions at all at the moment. You can find more arguments in the ChiliProject forums. Anyone interested in discussing things ChiliProject or just following what we’re discussing can get on the chiliproject-devel Google Group. There’s only one list for the moment, should things get too crowded there we’ll open more as needed.

On the code side of things, one thing we learnt the hard way was that we’re too few people for too much work / too many goals. One of our top priorities was trying to decruft the codebase, but we’ve been held back amongst other things by concerns about compatibility (backward, with Redmine, with plugins and so on) and not dropping features even if we don’t think they’re central to ChiliProject. All those things have cost us a lot of time and energy, and we don’t think we can afford that anymore. Current candidates for legacy we’d like to shed are the Darcs adapter and the old Rails 2.3 Engines currently used for ChiliProject plugins, but more on that in an upcoming post.

So those are the things currently on the minds of the ChiliProject Team. If you want to get involved, want to yell at us, tell us that we are wrong or just want to read more about where ChiliProject is headed, sign up to the chiliproject-devel Google Group and chat with us.