Re: Regression in stretch update of ruby-activerecord 2:5.2.2.1+dfsg-1+deb10u4

[Utkarsh Gupta <guptautkarsh2102@gmail.com>]

Hi Abhijith,

On Fri, Sep 9, 2022 at 6:04 PM Abhijith PA <abhijith@disroot.org> wrote:
> Can you share how autopkgtest.kali.org service setup and how
> is it running. I am using https://ci.debian.net/doc/file.HACKING.html
> to reproduce this. What is your rack server like and you also run any
> proxy server.

It's also the same with debci in Debian, I believe. But this regression is even
reproducible in _any_ app. Remine, Gitlab, et al. Try setting up
Gitlab and you won't be able to log in and log out or something
similar. Try setting up Redmine and it'd fail to work, I think. Look
at the regression the user posted on debian-backports@.

> Even though I understand it now, Its just can't reproduce it with a
> local debci setup. Is this only triggered on certain action.

I have fixed unstable but for buster, it's even worse. The reasons are two fold:
a) This is not a problem for psych ~> 3.1 but a problem for psych ~>
3.0 and unfortunately that's what's shipped in buster.
b) Now if you even try a build without the patch, 150+ related tests
are going to fail because the rails upload is well settled in and thus
it won't build.

I have gone ahead and patched that and the fixed rails binaries are
available here: https://people.debian.org/~utkarsh/lts/rails/

Please don't upload yet. We either upload what I have or just rollback
the fix for CVE-2022-32224. Wait for the further decision or let me
handle that - whatever works for you. :D



- u