Re: CVE-2009-5147 in ruby{1.8,1.9.1}

To: Santiago Ruano Rincón <santiagorr@riseup.net>
Cc: team@security.debian.org, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: CVE-2009-5147 in ruby{1.8,1.9.1}
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 21 Aug 2015 11:27:33 +0200
Message-id: <[🔎] 20150821092733.GA9993@eldamar.local>
Mail-followup-to: Santiago Ruano Rincón <santiagorr@riseup.net>, team@security.debian.org, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <[🔎] 20150821091228.GA26652@novelo>
References: <[🔎] 20150821091228.GA26652@novelo>

Hi Santiago,

Thanks for looking into this and keeping the security-team as well in
the loop (really appreciated).

On Fri, Aug 21, 2015 at 11:12:28AM +0200, Santiago Ruano Rincón wrote:
> Hi,
> 
> I've taken a look to
> https://security-tracker.debian.org/tracker/CVE-2009-5147
> in the 1.8 and 1.9.1 versions of ruby and I am unsure if they deserve a
> DLA/DSA by their own.
> 
> I've been unable to find more information to take advantage of this
> issue, and other vendors consider this as low priority and even wontfix.
> 
> For squeeze, the patches are already on the collab-maint repos. I can do
> it for wheezy too. Do you think it's ok to wait to upload them along
> with a further and more important fix?

I think we should mark it as no-dsa for wheezy and jessie (2.1). When
looking at the issue I added some furhter notes attached to the CVE,
but keept the TODO: check, so that other might double-check this.

Regards,
Salvatore

Reply to:

References:
- CVE-2009-5147 in ruby{1.8,1.9.1}
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

Prev by Date: CVE-2009-5147 in ruby{1.8,1.9.1}
Next by Date: About the security issues affecting eglibc in Squeeze
Previous by thread: CVE-2009-5147 in ruby{1.8,1.9.1}
Next by thread: CVE-2009-5147 in ruby{1.8,1.9.1}
Index(es):
- Date
- Thread