Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport security fixes for 1.x-stable #2752

Closed

Conversation

mbie
Copy link

@mbie mbie commented Aug 29, 2024

There are two security vulnerabilities (GHSA-vfmv-jfc5-pjjw and GHSA-gxhx-g4fq-49hj) which were resolved for 2.x and 3.x versions. They have not been addressed in 1.x branch.

I'm aware that using 1.x should not happening anymore, but in our case migration to 3.0 is a painful way which will take time. This backport would allow us to resolve the security vulnerabilities from our systems.

mbie added 2 commits August 29, 2024 11:34
This is just a backport from carrierwaveuploader@25b1c80
to resolve security vulnerability on 1.3.x branch.

Please note that we cannot use exactly the same fix as in the upstream,
as 1.3 does not use Marcel.
@mbie
Copy link
Author

mbie commented Aug 29, 2024

@mshibuya Does the CI pipline work for 1.x-stable? I see random failures there not related to the changes.

Please let me know what do you think about the PR anyway.

@mshibuya
Copy link
Member

mshibuya commented Sep 1, 2024

Yeah it'll take a real effort to make it functional again. I want to avoid the maintenance work if possible...

What's the blocker for 3.0 upgrade?

@mbie
Copy link
Author

mbie commented Sep 1, 2024

Thanks for the reply.

In our case it is just matter of huge codebase and a lot of monkey patches. Nothing that we cannot adjust to 3.x but it will take more time.

We will do it anyway in long term, but we thought of having simple and quick alternative short-term solution.

If the backport for 1.x is indeed not quick, we will focus on the upgrade to 3.

@mbie mbie closed this Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants