ChiliProject 3.7.0 has just been released. This release is a security release to fix security issues in Rails (CVE-2013-0277), the JSON gem (CVE-2013-0333, CVE-2013-0269) and with MySQL’s handling of strings and numbers during value comparison.
This release contains no new features and 1 other bug fix for
last tag in the Liquid template language. It is suitable for use on production websites running ChiliProject 3.x. Due to the severity of these issues, all ChiliProject administrators are urged to update their installation immediately.
Users of the old 2.x release branch, please check the ChiliProject 2.10.0 release which includes the security fixes. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive any updates.
3.7.0 contains security fixes for Rails (CVE-2013-0277) and the JSON gem (CVE-2013-0269) which are handled by enforcing updated versions of these dependencies to ChiliProject. For details on the issues, please refer to the linked posts on the Ruby On Rails security mailing list.
In addition to these issues, we audited our own codebase for potential issues with the recently published MySQL quirks when comparing strings with numbers. We found some potential issues in our token handling code which is used to authenticate users some access variants. Especially administrators who run ChiliProject on MySQL and have enabled the REST API, or have enabled the lost password feature (which is enabled by default) are potentially vulnerable and should upgrade immediately. User running SQLite or PostgreSQL are not affected by this issue.
The corresponding ChiliProject bugs are:
- Bug #1233: Bump rails to 2.3.17 to address [CVE-2013-0276]
- Security – Bug #1234: Potential vulnerability in token authentication when running on MySQL
How to upgrade
Please follow the Upgrade Guide in our Wiki. Make sure to run
bundle update during the upgrade procedure to install the new version of Rails and the JSON gem. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.