Skip to content

Remove Rails LTS versions#847

Merged
postmodern merged 1 commit intorubysec:masterfrom
rails-lts:noref-remove-lts-versions
Feb 17, 2025
Merged

Remove Rails LTS versions#847
postmodern merged 1 commit intorubysec:masterfrom
rails-lts:noref-remove-lts-versions

Conversation

@NiklasHae
Copy link
Contributor

@NiklasHae NiklasHae commented Feb 7, 2025

We (the Rails LTS team) noticed that some CVEs are marked as fixed by Rails LTS in the ruby-advisory-db. While we appreciate and are grateful for the effort, we would prefer not to list our commercial versions in the official database as fixed versions.

Currently, we do not have the capacity to actively monitor all versions listed in the ruby-advisory-db, verify their accuracy, and ensure correctness. Additionally, some fixes require extra context or additional information that may not be adequately reflected in the database. Most Rails LTS versions are a commercial offering, and we maintain a comprehensive list of all CVEs we have addressed—along with the necessary details—at https://makandracards.com/railslts/474590-list-cves-addressed-rails-lts. Every Rails LTS customer also receives a newsletter with updates and additional information for all patches.

We would prefer to keep our own documentation as the single source of truth for Rails LTS related fixes. Thank you for your understanding.

@NiklasHae
Remove Rails LTS versions
a0c88d8 
Please check https://makandracards.com/railslts/474590-list-cves-addressed-rails-lts for all CVEs addressed by Rails LTS and detailed information.
@postmodern
Copy link
Member

postmodern commented Feb 7, 2025

First, I will need some kind of confirmation that this is indeed Niklas Häusele speaking on behalf of Rails LTS / Makandra, and not some random GitHub account possibly posing as Niklas Häusele.

Second, the Rails LTS patched versions were added by PR #538. If we remove the Rails LTS specific patched versions, then bundle-audit will flag those Rails LTS versions as vulnerable even though they've had patches backported to them. The user would then need to create or update their .bunder-audit.yml file and add CVEs to it as ignored. We should probably make a note of this in the README.

postmodern
postmodern requested changes Feb 7, 2025
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but also needs a note added to the README instructing Rails LTS users to check the official Rails LTS CVE list, and to add those CVEs to their .bundler-audit.yml file under ignore:.

@jasnow
Copy link
Contributor

jasnow commented Feb 8, 2025

Monitoring PR and will make changes to my GHSA SYNC scripts after the merge.

@NiklasHae
Copy link
Contributor Author

NiklasHae commented Feb 17, 2025
edited
Loading

Thank you @postmodern for taking a look.

I sent you an email to your linked GitHub profile address regarding verification. I'll update the PR accordingly 👍

@postmodern postmodern merged commit 05ea8d8 into rubysec:master Feb 17, 2025
1 check passed
postmodern added a commit that referenced this pull request Feb 17, 2025
@postmodern
Add a note about Rails LTS versions (see PR #847).
eb74560
@postmodern
Copy link
Member

postmodern commented Feb 17, 2025

Added a note to the README in eb74560.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NiklasHae @postmodern @jasnow