El 18/04/18 a las 09:14, Antoine Beaupré escribió: > On 2018-04-18 12:47:52, Santiago R.R. wrote: > > Hi Antoine! > > > > El 17/04/18 a las 11:58, Antoine Beaupré escribió: > >> Also, after talking with my old colleagues, I just realized that they > >> might be using Ruby 1.8 and not 1.9.1. It seems we have triaged those > >> out of the picture, but maybe all 1.8 packages are affected by a bunch > >> of those issues too? This looks suspiciously sparse: > >> > >> https://security-tracker.debian.org/tracker/source-package/ruby1.8 > >> > >> ... when compared to the larger: > >> > >> https://security-tracker.debian.org/tracker/source-package/ruby1.9.1 > >> > >> I feel it's quite possible we have forgotten a bunch of CVEs in Ruby > >> 1.8, is it possible? > > > > Part of the issues relates to rubygems which is not shipped in ruby1.8. > > But maybe the rest of the issues (the bunch that was fixed in the recent > > upstream release) needs to be re-checked. I will triage them. > > I talked with carnil, and he said this shouldn't be necessary, so I > wouldn't bother. He did the triage already, so I think we can assume he > did excellent work, as usual. :) I was worried 1.8 was forgotten, but he > assured me he did not. The discrepancy is indeed due to gems. > carnil, maybe I wrongly checked those (non-rubygems) ruby1.8 issues? It is possible to reproduce in 1.8 some of the tests listed in hackerone, e.g. for CVE-2018-6914: https://hackerone.com/reports/302298 > > To answer your other mail, I didn't find any regression in the test > > suite, comparing to the current revision. Unfortunately, I don't have a > > anything in production related to ruby where I can do something more > > than a smoke test. > > Sounds good. I am waiting for feedback from my colleagues, hopefully > this should trickle out $today. Great, thanks! Santiago
Attachment:
signature.asc
Description: PGP signature