Hi Chris, El 02/04/18 a las 08:55, Chris Lamb escribió: > Hi Santiago, > > I just triaged rubygems & jruby for wheezy re. CVE-2018-1000074 and > noticed that ruby1.9.1 is also vulnerable. You still have this latter > package reserved in dla-needed.txt since March 18th. I have been unable to confirm the versions of these packages are affected by CVE-2018-1000074 and CVE-2018-1000079. Also, there seems there is not upstream patch for the oldest maintained ruby, covering those issues: https://bugs.ruby-lang.org/attachments/download/7030/rubygems-276-for-ruby22.patch Do you have any more info how to those CVEs? I haven't marked yet them as unaffected, just to be conservative. > Can you let me know whether you still wish to work on this package > or whether you would — in addition — like to take the same underlying > issue in rubygems and jruby as well? About ruby1.9.1, other issues have been reported meantime, and I am waiting to fix them in the same upload. Cheers! S
Attachment:
signature.asc
Description: PGP signature