Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Blacklight #69

Open
rotated8 opened this issue Jul 14, 2022 · 1 comment
Open

Upgrade Blacklight #69

rotated8 opened this issue Jul 14, 2022 · 1 comment

Comments

@rotated8
Copy link
Contributor

All versions of Rails are affected by a remote code execution bug, CVE-2022-32224, affecting serialized YAML. There are no workarounds- Rails expects everyone to upgrade to safe versions: 7.0.3.1, 6.1.6.1, 6.0.5.1, or 5.2.8.1. These new versions of Rails appear to have caught the community off guard, and frequently require other code changes to successfully upgrade.

hydra-role-management does not call serialize itself, but Blacklight does. Blacklight version 7.28.0 supports the Rails versions above.

Community feedback to the Rails team has led to new tickets and pull requests to make this upgrade easier, and the consensus from the Hyrax Working Group and Tech calls this week is to wait a little while for the dust to settle before implementing this upgrade. The current versions of Ruby on Rails and Blacklight may not be the best to target for this work.

@rotated8
Copy link
Contributor Author

Since Blacklight in the gemspec does not have a version attached, this ticket may not need work?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Backlog
Development

No branches or pull requests

1 participant