El 02/04/18 a las 10:13, Chris Lamb escribió: > Hi Santiago, > > > I have been unable to confirm the versions of these packages are > > affected by CVE-2018-1000074 and CVE-2018-1000079 > > re. CVE-2018-1000074, it seems fairly clear. For example, here is jruby's > lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb: > > 45 with_response response do |resp| > 46 owners = YAML.load resp.body > > (The others are similar, if not identical.) Yes. Sorry, I was unclear. I meant I have been unable to confirm it through a PoC. The code seems to be affected. However, I am not sure this issue warrants a DLA (neither a DSA?). upstream didn't backported the patch for ruby2.2, and backporting to 1.8 and 1.9.1 is quite intrusive, from my point of view. Security team, what's your position about CVE-2018-1000074 for stable? > > > > Can you let me know whether you still wish to work on this package > > > or whether you would — in addition — like to take the same underlying > > > issue in rubygems and jruby as well? > > > > About ruby1.9.1, other issues have been reported meantime, and I am > > waiting to fix them in the same upload. > > Sorry, I should have been clearer; given that that issues overlap to > some degree I think it would be best if one person took them all. Are > you happy to reserve the other packages in dla-needed.txt? :) > I'd suggest to wait for the security team's opinion about the issue.
Attachment:
signature.asc
Description: PGP signature