Re: Issues regarding ruby-rack/CVE-2019-16782

[Utkarsh Gupta <utkarsh@debian.org>]

Hi Brian,

On Fri, Apr 24, 2020 at 2:49 AM Brian May <bam@debian.org> wrote:
> For reference I filled a similar bug against Django
> <https://code.djangoproject.com/ticket/31412#comment:8> and they
> responded with:
>
> > After consideration, the Django Security Team conclude that this is not
> > a practical attack vector.
> >
> > Work on the related hardenings, such as the referenced tickets should
> > continue.
>
> I am inclined to think we do not need to worry about patching old
> releases for this vulnerability for similar reasons.

Thank you for this. I've started to think on the same lines.
During this weekend, I'll take a quick look over what other
distributions are doing for this.

And if I don't find something, we could perhaps mark this as "no-dsa"?
I've updated the version (and this is fixed) in unstable/testing.
However, I'll close the bug with the next update after cross-checking
if everything, indeed, is alright.

Let me know if this seems alright?


Best,
Utkarsh