Re: Issues regarding ruby-rack/CVE-2019-16782
Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:
> Please don't yet patch CVE-2019-16782 for Buster, Stretch, Jessie, et al.
> This security update induces a regression, resulting in some issues in
> using the library.
> Also, there's a slight possibility of this patch inducing a backdoor on
> it's own.
>
> The issues have already been opened to/with the upstream and I hope
> they're looking into it.
> P.S. Shall update here when available :)
Do you have any references to the upstream issue regarding the possible
backdoor?
I see:
https://github.com/rack/rack/issues/1431
https://github.com/rack/rack/issues/1432
https://github.com/rack/rack/issues/1433
Apparently the regression is unavoidable - see
https://github.com/rack/rack/issues/1432#issuecomment-571688819
Which in turn generated controversy - is it OK to cause breakage if it
fixes a known security issue?
https://github.com/rack/rack/issues/1432#issuecomment-571701768
This might rule out being able to provide fixes for Buster and Jessie.
Oh, I see, #1431 mentions the possible backdoor; a claim that was
disputed.
It also seems like "I agree that the vulnerability is not that great and
does take substantial time to pull off." - wonder if it even worth
trying to fix this for anything other then unstable+testing.
--
Brian May <bam@debian.org>
Reply to: