[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2009-5147 in ruby{1.8,1.9.1}

Hi Santiago,

Thanks for looking into this and keeping the security-team as well in
the loop (really appreciated).

On Fri, Aug 21, 2015 at 11:12:28AM +0200, Santiago Ruano Rincón wrote:
> Hi,
> I've taken a look to
> https://security-tracker.debian.org/tracker/CVE-2009-5147
> in the 1.8 and 1.9.1 versions of ruby and I am unsure if they deserve a
> DLA/DSA by their own.
> I've been unable to find more information to take advantage of this
> issue, and other vendors consider this as low priority and even wontfix.
> For squeeze, the patches are already on the collab-maint repos. I can do
> it for wheezy too. Do you think it's ok to wait to upload them along
> with a further and more important fix?

I think we should mark it as no-dsa for wheezy and jessie (2.1). When
looking at the issue I added some furhter notes attached to the CVE,
but keept the TODO: check, so that other might double-check this.


Reply to: