(fixed the subject to mention the right package) On Fri, May 20, 2016 at 01:02:11PM +0200, Ola Lundqvist wrote: > Hi ruby-rest-client maintainer(s) and Debian LTS team > > This is my second contribution to Debian LTS and this time I need some > advice. This fix require a dependency on ruby-http-cookie which is not in > wheezy. > > I have prepared an update of the ruby-rest-client package to correct the > problem described in > https://security-tracker.debian.org/tracker/CVE-2015-1820 > (I have not fixed CVE-2015-3448 as it was marked as "no DSA" in the > security tracker). > > The change was simple as the fix was in jessie 1.6.7-6 with a prepared > patch. So I have simply copied the patch file and series file to the > debian/patch directory, changed the changelog and control file and rebuilt. > > The prepared package is here: > http://apt.inguza.net/wheezy-security/ruby-rest-client > The debdiff is here: > http://apt.inguza.net/wheezy-security/ruby-rest-client/debdiff-against-previous-version-in-wheezy.patch > > I see two options: > 1) I upload this fix above and we introduce the ruby-http-cookie (its > dependencies are already there, I have tested with the jessie version of > ruby-http-cookie on wheezy, so it is just to add this package too) > 2) We tell that the fix is not important enough. > I do not see the point in trying to change the correction in some other way > for wheezy. Can you introduce new packages in LTS? If you can, then just doing that and using the patch that was applied in jessie is probably good enough.
Attachment:
signature.asc
Description: PGP signature