Deployed Ruby 2.3(.6) has security vulnerabilities

[thbar]

In March this year, Ruby 2.3.7 was released, with multiple vulnerability fixes (see here for complete release notes).

If I'm not mistaken, EY instances using Ruby 2.3.x are still on 2.3.6, based on this source code and on ruby -v on a machine I manage.

Ruby 2.3 EOL is still in the future (2019-03-31) and officially supported by EY, so would you welcome a PR to bump Ruby version as well as Rubygems for 2.3?

Thanks!

[thbar]

(PS: I realise that creating a PR is not the only work you have to do, since you have QA testing etc, so I want to ask first how this may work!)

[thbar]

Can anyone provide some feedback on this? cc @dvalfre maybe?

If I understand well, this also applies to 2.4 (EY is on 2.4.3, but 2.4.4 has security fixes as well).

Thanks!

[dvalfre]

@thbar the packages are there for 2.3.7 and 2.4.4, just run eix dev-lang/ruby. Having said so, the recipes need to be updated. In the meantime, you can overlay the specific file using the approach here.
@jfuechsl @DalianisDim we'll need to put together a PR for updating the default versions, it seems.

[thbar]

@dvalfre thanks for the feedback!

The "default versions" are what you get when you click "upgrade stack" in the EY UI, is that correct?

This raises an important question for me as an app maintainer: isn't the EY web interface "upgrade stack" button not the recommended way anymore to keep instances updated?

Are most customers actually using the overlay approach (thanks for the link) these days?

Thanks!

[dvalfre]

@thbar following up here. The minor versions jump was introduced on PR #377, which was included on release v5-3.0.54.
As for the 'upgrade stack' path, it continues to be the recommended way to upgrade the version of the EY Stack serving an environment. Having said that, we recognize customers may want to upgrade/downgrade specific versions of packages independently of the process, hence the overlay method.