ChiliProject 2.10.0 has just been released. This release is a security release to fix security issues in Rails (CVE-2013-0277), the JSON gem (CVE-2013-0333, CVE-2013-0269) and with MySQL’s handling of strings and numbers during value comparison.
This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.7.0. It is suitable for use on production websites running ChiliProject 2.x. Due to the severity of these issues, all ChiliProject administrators are urged to update their installation immediately.
2.10.0 contains security fixes for Rails (CVE-2013-0277) and the JSON gem (CVE-2013-0269) which are handled by enforcing updated versions of these dependencies to ChiliProject. For details on the issues, please refer to the linked posts on the Ruby On Rails security mailing list.
In addition to these issues, we audited our own codebase for potential issues with the recently published MySQL quirks when comparing strings with numbers. We found some potential issues in our token handling code which is used to authenticate users some access variants. Especially administrators who run ChiliProject on MySQL and have enabled the REST API, or have enabled the lost password feature (which is enabled by default) are potentially vulnerable and should upgrade immediately. User running SQLite or PostgreSQL are not affected by this issue.
The corresponding ChiliProject bugs are:
- Bug #1233: Bump rails to 2.3.17 to address [CVE-2013-0276]
- Security – Bug #1234: Potential vulnerability in token authentication when running on MySQL
How to upgrade
Please follow the Upgrade Guide in our Wiki. Make sure to run
bundle update during the upgrade procedure to install the new version of Rails and the JSON gem. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.