Re: ruby1.9.1 test packages for wheezy
[resending]
Hi Santiago
On Wed, Apr 18, 2018 at 04:17:05PM +0200, Santiago R.R. wrote:
> El 18/04/18 a las 09:14, Antoine Beaupré escribió:
> > On 2018-04-18 12:47:52, Santiago R.R. wrote:
> > > Hi Antoine!
> > >
> > > El 17/04/18 a las 11:58, Antoine Beaupré escribió:
> > >> Also, after talking with my old colleagues, I just realized that they
> > >> might be using Ruby 1.8 and not 1.9.1. It seems we have triaged those
> > >> out of the picture, but maybe all 1.8 packages are affected by a bunch
> > >> of those issues too? This looks suspiciously sparse:
> > >>
> > >> https://security-tracker.debian.org/tracker/source-package/ruby1.8
> > >>
> > >> ... when compared to the larger:
> > >>
> > >> https://security-tracker.debian.org/tracker/source-package/ruby1.9.1
> > >>
> > >> I feel it's quite possible we have forgotten a bunch of CVEs in Ruby
> > >> 1.8, is it possible?
> > >
> > > Part of the issues relates to rubygems which is not shipped in ruby1.8.
> > > But maybe the rest of the issues (the bunch that was fixed in the recent
> > > upstream release) needs to be re-checked. I will triage them.
> >
> > I talked with carnil, and he said this shouldn't be necessary, so I
> > wouldn't bother. He did the triage already, so I think we can assume he
> > did excellent work, as usual. :) I was worried 1.8 was forgotten, but he
> > assured me he did not. The discrepancy is indeed due to gems.
> >
>
> carnil, maybe I wrongly checked those (non-rubygems) ruby1.8 issues?
> It is possible to reproduce in 1.8 some of the tests listed in
> hackerone, e.g. for CVE-2018-6914:
> https://hackerone.com/reports/302298
Sorry I was unclear. I meant those affecting rubygems part which
recently were published and I looked at. Those should already be such
that ruby1.8 is not listed but rubygems.
Regards,
Salvatore
Reply to: