Re: Debian LTS Security update of ruby-activerecord-3.2
Hi Ola,
On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote:
> Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team
>
> This is my third package contribution to Debian LTS. I'm doing this as a
> training exercise and this is why the maintainer have not been asked to
> this for me.
>
> I have prepared an update of the ruby-activerecord-3.2 package with a fix
> for
> https://security-tracker.debian.org/tracker/CVE-2015-7577
>
> What i have done is to take the CVE-2015-7577.patch file from the rails
> 2:4.1.8-1+deb8u2 package in jessie.
> Two out of three chunks applied cleanly and the third one was simple to
> copy-paste in place.
>
> I have also written a very simple test application from an example. It does
> not test the specific security problem but at least show that there is no
Does it make sense to add this as an autopkgtest?
> obvious regression problem. If you know of an easy way to do more extended
> testing of this update then please let me know (or run it yourself and let
> me know the results). As the source is so similar between the rails package
> and this I trust that the extra test introduced in rails will cover the
> specific problem even though I have not run it specifically (it is part of
> the whole rails suite and not trivial to extract parts of it).
>
> You can find the debdiff here:
> http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff
This looks good to me.
Cheers,
-- Guido
Reply to: