[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rails update


On 22/06/2020 11:56, Utkarsh Gupta wrote:
> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <beuc@beuc.net> wrote:
>> Hmm, are you the only active maintainer for rails?
> There are 3 maintainers. CC'ed rails@p.d.o.
> However, since you have already worked on preparing the fix for
> Jessie, it's much easier on your part to do it for Stretch and Buster.
> But that's volunteer work :)
> If you don't want to work, don't :)

For rails@d.p.o's info, I explained at:
that I prepared the jessie (4.1.8) and stretch ( updates at:

However the buster version ( is affected by a different set of
vulnerabilities, is much closer to bullseye (, and apparently
the update causes new issues.

That's why I think it'd make more sense for the rails maintainers to
backport the latest bullseye update.

Let me know what you plan to do.

>> Which security update broke what, exactly?
> The latest security update from to, which contained
> fixes for CVE-2020-816{2,4,5,6,7}.
> JavaScript bundle generation for Activestorage didn't work w/o that
> patch. We had to switch to node-babel7 for that.

I updated

The stretch updates passes this new test.

(Though in this particular case it may have just been due to node-babel
changes in unstable since March, e.g. babel7 is pulled through


Reply to: