[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rails update

Hi,

On 22/06/2020 13:23, Sylvain Beucler wrote:
> On 22/06/2020 11:56, Utkarsh Gupta wrote:
>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <beuc@beuc.net> wrote:
>>> Hmm, are you the only active maintainer for rails?
>>
>> There are 3 maintainers. CC'ed rails@p.d.o.
>> However, since you have already worked on preparing the fix for
>> Jessie, it's much easier on your part to do it for Stretch and Buster.
>> But that's volunteer work :)
>>
>> If you don't want to work, don't :)
> 
> For rails@d.p.o's info, I explained at:
> https://lists.debian.org/debian-lts/2020/06/msg00063.html
> that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at:
> https://www.beuc.net/tmp/debian-lts/rails/
> 
> However the buster version (5.2.2.1) is affected by a different set of
> vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently
> the update causes new issues.
> 
> That's why I think it'd make more sense for the rails maintainers to
> backport the latest bullseye update.
> 
> Let me know what you plan to do.
> 
>>> Which security update broke what, exactly?
>>
>> The latest security update from 5.2.4.2 to 5.2.4.3, which contained
>> fixes for CVE-2020-816{2,4,5,6,7}.
>> JavaScript bundle generation for Activestorage didn't work w/o that
>> patch. We had to switch to node-babel7 for that.
> 
> I updated
> https://wiki.debian.org/LTS/TestSuites/rails
> accordingly.
> 
> The stretch updates passes this new test.
> 
> (Though in this particular case it may have just been due to node-babel
> changes in unstable since March, e.g. babel7 is pulled through
> node-regenerator-transform.)

Status update: jessie and stretch are affected by new important
CVE-2020-8163.
buster and above not affected.
Currently waiting for upstream's feedback on a second regression, then
I'll prepare an update for jessie & stretch.

Cheers!
Sylvain
Reply to: