[DRE-maint] Bug#1019238: redmine: ActionView::Template::Error after recent ruby-rails security fix

Jude Hungerford jhungerford at asylumseekerscentre.org.au
Tue Sep 6 04:59:10 BST 2022 

Package: redmine
Version: 4.0.7-1~bpo10+1
Severity: important

Dear Maintainer,

   * What led up to the situation?

The unattended-upgrades applied some updates to Ruby packages. The
following information was found in /var/log/apt/history.log:

Start-Date: 2022-09-05  06:51:39
Commandline: /usr/bin/unattended-upgrade
Upgrade: ruby-activejob:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4), ruby-activerecord:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4), ruby-actionpack:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4), ruby-rails:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4), ruby-activemodel:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4), ruby-activestorage:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4), ruby-actioncable:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4), ruby-actionview:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4), ruby-railties:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4), ruby-activesupport:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4), ruby-actionmailer:amd64 (2:5.2.2.1+dfsg-1+deb10u3, 2:5.2.2.1+dfsg-1+deb10u4)
End-Date: 2022-09-05  06:51:48

Start-Date: 2022-09-05  06:51:52
Commandline: /usr/bin/unattended-upgrade
Upgrade: ruby-rack:amd64 (2.0.6-3, 2.0.6-3+deb10u1)
End-Date: 2022-09-05  06:51:59


   * What exactly did you do (or not do) that was effective (or
     ineffective)?

I attempted to access our Redmine pages, which were working before the
recent unattended upgrades.

   * What was the outcome of this action?

All of our Redmine pages return the following message:
"""
Internal error
An error occurred on the page you were trying to access.
If you continue to experience problems please contact your Redmine administrator for assistance.

If you are the Redmine administrator, check your log files for details about the error.
"""

Looking at the log file in /var/log/redmine/default/production.log, I
see the following:

Started GET "/redmine/" for 203.221.207.132 at 2022-09-06 10:27:56 +1000
Processing by WelcomeController#index as HTML
  Current user: jude (id=4)
  Rendering welcome/index.html.erb within layouts/base
  Rendered welcome/index.html.erb within layouts/base (3.5ms)
Completed 500 Internal Server Error in 19ms (ActiveRecord: 4.9ms)

ActionView::Template::Error (unknown keywords: permitted_classes, aliases):
    11: <%= favicon %>
    12: <%= stylesheet_link_tag 'jquery/jquery-ui-1.11.0', 'application', 'responsive', :media => 'all' %>
    13: <%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) == 'rtl' %>
    14: <%= javascript_heads %>
    15: <%= heads_for_theme %>
    16: <%= call_hook :view_layouts_base_html_head %>
    17: <!-- page specific tags -->

app/models/user_preference.rb:61:in `[]'
app/models/user_preference.rb:79:in `warn_on_leaving_unsaved'
app/helpers/application_helper.rb:1493:in `javascript_heads'
app/views/layouts/base.html.erb:14:in `_app_views_layouts_base_html_erb__2757522946862800469_70311845404380'
lib/redmine/sudo_mode.rb:63:in `sudo_mode'

   * What outcome did you expect instead?

I would normally expect a Redmine page to load.

   * Additional information

Redmine has been installed on this system from the buster-backports
repository. 

-- System Information:
Debian Release: 10.12
  APT prefers oldstable
  APT policy: (990, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-21-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages redmine depends on:
ii  dbconfig-common                 2.0.11+deb10u1
ii  debconf [debconf-2.0]           1.5.71+deb10u1
ii  libjs-chart.js                  2.7.3+dfsg-5
ii  libjs-jquery                    3.3.1~dfsg-3+deb10u1
ii  libjs-jquery-ui                 1.12.1+dfsg-5
ii  libjs-raphael                   2.1.0-1
ii  redmine-mysql                   4.0.7-1~bpo10+1
ii  ruby                            1:2.5.1
ii  ruby-actionpack-action-caching  1.2.0-2
ii  ruby-actionpack-xml-parser      2.0.1-3
ii  ruby-bundler                    1.17.3-3+deb10u1
ii  ruby-coderay                    1.1.2-2
ii  ruby-csv                        3.0.2-1
ii  ruby-i18n                       1.5.3-1+deb10u1
ii  ruby-jquery-rails               4.3.3-1
ii  ruby-mail                       2.7.1+dfsg1-1
ii  ruby-mime-types                 3.2.2-1
ii  ruby-mimemagic                  0.3.2+dfsg-1
ii  ruby-mini-mime                  1.0.1-1
ii  ruby-net-ldap                   0.16.1-1
ii  ruby-nokogiri                   1.10.0+dfsg1-2
ii  ruby-rack                       2.0.6-3+deb10u1
ii  ruby-rack-test                  0.7.0-1
ii  ruby-rails                      2:5.2.2.1+dfsg-1+deb10u4
ii  ruby-rails-dom-testing          2.0.3-3
ii  ruby-rails-observers            0.1.5-1
ii  ruby-rbpdf                      1.19.5+ds.1-1
ii  ruby-redcarpet                  3.4.0-4+deb10u1
ii  ruby-request-store              1.3.0-1
ii  ruby-rmagick                    2.16.0-6
ii  ruby-roadie                     3.2.2-1
ii  ruby-roadie-rails               1.3.0-1
ii  ruby-rouge                      3.21.0-1~bpo10+1
ii  ruby2.1 [ruby-interpreter]      2.1.5-2+deb8u4

Versions of packages redmine recommends:
ii  passenger  5.0.30-1.1

Versions of packages redmine suggests:
pn  bzr         <none>
pn  cvs         <none>
pn  darcs       <none>
ii  git         1:2.20.1-2+deb10u3
pn  mercurial   <none>
ii  ruby-fcgi   0.9.2.1-2+b3
pn  subversion  <none>

-- debconf information:
  redmine/instances/default/mysql/method: Unix socket
  redmine/instances/default/pgsql/authmethod-admin: ident
  redmine/default-language: en
  redmine/instances/default/missing-db-package-error: abort
  redmine/instances/default/upgrade-error: abort
  redmine/instances/default/remote/host: localhost
  redmine/missing-redmine-package:
* redmine/instances/default/dbconfig-remove:
  redmine/instances/default/db/dbname: redmine_default
* redmine/instances/default/dbconfig-install: true
  redmine/instances/default/pgsql/manualconf:
* redmine/instances/default/mysql/admin-user: debian-sys-maint
  redmine/instances/default/pgsql/no-empty-passwords:
  redmine/instances/default/upgrade-backup: true
  redmine/instances/default/default-language: en
  redmine/notify-migration:
  redmine/instances/default/remote/port:
  redmine/instances/default/db/app-user: redmine_default at localhost
  redmine/instances/default/install-error: abort
  redmine/instances/default/db/basepath:
  redmine/instances/default/purge: false
  redmine/instances/default/remove-error: abort
  redmine/instances/default/dbconfig-upgrade: true
  redmine/instances/default/remote/newhost:
  redmine/old-instances:
  redmine/instances/default/internal/skip-preseed: false
  redmine/instances/default/pgsql/admin-user: postgres
  redmine/current-instances: default
  redmine/instances/default/pgsql/authmethod-user: password
  redmine/instances/default/pgsql/changeconf: false
* redmine/instances/default/database-type: mysql
  redmine/instances/default/dbconfig-reinstall: false
  redmine/instances/default/pgsql/method: TCP/IP
  redmine/instances/default/internal/reconfiguring: false
  redmine/instances/default/passwords-do-not-match:

More information about the Pkg-ruby-extras-maintainers mailing list