Re: rails update

To: Utkarsh Gupta <utkarsh@debian.org>, Debian Security Team <team@security.debian.org>
Subject: Re: rails update
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 19 Jun 2020 19:58:44 +0200
Message-id: <[🔎] a05e49b9-c119-ed40-6090-d00419f6819c@beuc.net>
In-reply-to: <[🔎] CAPP0f95wpEk42ZvBWn6Bx-jOWd9_CT5q21GM35c1e6TH58_dZw@mail.gmail.com>
References: <[🔎] 91e4df09-16e5-cedb-4e61-bc3970c2d116@beuc.net> <[🔎] 20200619094006.GA1126775@eldamar.local> <[🔎] CAPP0f95JEBSUKAk7So5spgoA0oAc0uv7Y7nepfkMpe52GcxXHQ@mail.gmail.com> <[🔎] CAPP0f95wpEk42ZvBWn6Bx-jOWd9_CT5q21GM35c1e6TH58_dZw@mail.gmail.com>

Hi Security Team, Utkarsh,

On 19/06/2020 11:40, Salvatore Bonaccorso wrote:
> On Wed, Jun 17, 2020 at 11:09:41PM +0200, Sylvain Beucler wrote:
>> I'm currently testing an update for jessie and I can prepare an update
>> for stretch (which appears to be similar).
>> (not sure what's the plan for buster)
>> Would you be interested?
>
> Yes if you are interested in contributing the updates, help is
> welcome. Apart the proposed debdiffs, would be ideal to hear what you
> were able to test/check.

Here's the prepared stretch update:
https://www.beuc.net/tmp/debian-lts/rails/
https://www.beuc.net/tmp/debian-lts/rails/debdiff.txt

Testing was documented at:
https://wiki.debian.org/LTS/TestSuites/rails
It includes running the DEP-8 tests (which deploys a full app) and
running the full upstream testsuite. Test cases for the 2 CVEs were
backported.

> So assuming you are intersted in preparing the stretch-security one,
> would you as well work on the buster-security one? (it has different
> set of open CVEs to be addressed).

The buster version is different and introduces 3 new vulnerabilities,
which strays a bit too far off my current work on rails. I believe the
package maintainers (possibly Utkarsh) would be in better position to
prepare the buster update.
If the rails maintainers are not available though I can step in.

On 19/06/2020 19:20, Utkarsh Gupta wrote:
> On Fri, Jun 19, 2020 at 10:46 PM Utkarsh Gupta <utkarsh@debian.org> wrote:
>> Just letting you know with my rails' maintainer hat on..
>> I faced a regression where I think, activestorage (one of rails' binary),
>> broke and in turn, it broke a bunch of other gems as well.
>>
>> Please ensure that the fix of these CVE(s) won't break other libraries
>> because otherwise, it would mess up an instance.
>> Of course, the tests would pass, but if you can check and ensure that
>> it's not breaking other stuff, you're good to go! :)
> 
> Also, I think it originated  due to babel (I am not sure though!), but that was
> the closest I got to when debugging.
> If so, then I don't think anything would break.
> 
> Anyway, this was the patch that fixed the regression:
> https://salsa.debian.org/ruby-team/rails/-/commit/fe3206768ed30b8eb6a83e74fc813e616d7d0db3

As far as I understand, you experienced a regression but it isn't
related to the current CVEs, is it?

Is there a depending library/app that you would recommend testing with?

Cheers!
Sylvain

Reply to:

References:
- rails update
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: rails update
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: rails update
  - From: Utkarsh Gupta <utkarsh@debian.org>
- Re: rails update
  - From: Utkarsh Gupta <utkarsh@debian.org>

Prev by Date: Re: rails update
Next by Date: Re: libdatetime-timezone-perl
Previous by thread: Re: rails update
Next by thread: Re: rails update
Index(es):
- Date
- Thread