Re: rails update
Hi Security Team, Utkarsh,
On 19/06/2020 11:40, Salvatore Bonaccorso wrote:
> On Wed, Jun 17, 2020 at 11:09:41PM +0200, Sylvain Beucler wrote:
>> I'm currently testing an update for jessie and I can prepare an update
>> for stretch (which appears to be similar).
>> (not sure what's the plan for buster)
>> Would you be interested?
> Yes if you are interested in contributing the updates, help is
> welcome. Apart the proposed debdiffs, would be ideal to hear what you
> were able to test/check.
Here's the prepared stretch update:
Testing was documented at:
It includes running the DEP-8 tests (which deploys a full app) and
running the full upstream testsuite. Test cases for the 2 CVEs were
> So assuming you are intersted in preparing the stretch-security one,
> would you as well work on the buster-security one? (it has different
> set of open CVEs to be addressed).
The buster version is different and introduces 3 new vulnerabilities,
which strays a bit too far off my current work on rails. I believe the
package maintainers (possibly Utkarsh) would be in better position to
prepare the buster update.
If the rails maintainers are not available though I can step in.
On 19/06/2020 19:20, Utkarsh Gupta wrote:
> On Fri, Jun 19, 2020 at 10:46 PM Utkarsh Gupta <firstname.lastname@example.org> wrote:
>> Just letting you know with my rails' maintainer hat on..
>> I faced a regression where I think, activestorage (one of rails' binary),
>> broke and in turn, it broke a bunch of other gems as well.
>> Please ensure that the fix of these CVE(s) won't break other libraries
>> because otherwise, it would mess up an instance.
>> Of course, the tests would pass, but if you can check and ensure that
>> it's not breaking other stuff, you're good to go! :)
> Also, I think it originated due to babel (I am not sure though!), but that was
> the closest I got to when debugging.
> If so, then I don't think anything would break.
> Anyway, this was the patch that fixed the regression:
As far as I understand, you experienced a regression but it isn't
related to the current CVEs, is it?
Is there a depending library/app that you would recommend testing with?