[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rails update

Hi Security Team, Utkarsh,

On 19/06/2020 11:40, Salvatore Bonaccorso wrote:
> On Wed, Jun 17, 2020 at 11:09:41PM +0200, Sylvain Beucler wrote:
>> I'm currently testing an update for jessie and I can prepare an update
>> for stretch (which appears to be similar).
>> (not sure what's the plan for buster)
>> Would you be interested?
> Yes if you are interested in contributing the updates, help is
> welcome. Apart the proposed debdiffs, would be ideal to hear what you
> were able to test/check.

Here's the prepared stretch update:

Testing was documented at:
It includes running the DEP-8 tests (which deploys a full app) and
running the full upstream testsuite. Test cases for the 2 CVEs were

> So assuming you are intersted in preparing the stretch-security one,
> would you as well work on the buster-security one? (it has different
> set of open CVEs to be addressed).

The buster version is different and introduces 3 new vulnerabilities,
which strays a bit too far off my current work on rails. I believe the
package maintainers (possibly Utkarsh) would be in better position to
prepare the buster update.
If the rails maintainers are not available though I can step in.

On 19/06/2020 19:20, Utkarsh Gupta wrote:
> On Fri, Jun 19, 2020 at 10:46 PM Utkarsh Gupta <utkarsh@debian.org> wrote:
>> Just letting you know with my rails' maintainer hat on..
>> I faced a regression where I think, activestorage (one of rails' binary),
>> broke and in turn, it broke a bunch of other gems as well.
>> Please ensure that the fix of these CVE(s) won't break other libraries
>> because otherwise, it would mess up an instance.
>> Of course, the tests would pass, but if you can check and ensure that
>> it's not breaking other stuff, you're good to go! :)
> Also, I think it originated  due to babel (I am not sure though!), but that was
> the closest I got to when debugging.
> If so, then I don't think anything would break.
> Anyway, this was the patch that fixed the regression:
> https://salsa.debian.org/ruby-team/rails/-/commit/fe3206768ed30b8eb6a83e74fc813e616d7d0db3

As far as I understand, you experienced a regression but it isn't
related to the current CVEs, is it?

Is there a depending library/app that you would recommend testing with?


Reply to: