[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rails update


On 06/07/2020 09:55, Pirate Praveen wrote:
> On 2020, ജൂലൈ 6 1:09:09 PM IST, Sylvain Beucler <beuc@beuc.net> wrote:
>> On 30/06/2020 22:38, Salvatore Bonaccorso wrote:
>>> On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote:
>>>> On 25/06/2020 18:20, Sylvain Beucler wrote:
>>>>> On 22/06/2020 13:23, Sylvain Beucler wrote:
>>>>>> On 22/06/2020 11:56, Utkarsh Gupta wrote:
>>>>>>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <beuc@beuc.net> wrote:
>>>>>>>> Hmm, are you the only active maintainer for rails?
>>>>>>> There are 3 maintainers. CC'ed rails@p.d.o.
>>>>>>> However, since you have already worked on preparing the fix for
>>>>>>> Jessie, it's much easier on your part to do it for Stretch and Buster.
>>>>>>> But that's volunteer work :)
>>>>>>> If you don't want to work, don't :)
>>>>>> For rails@d.p.o's info, I explained at:
>>>>>> https://lists.debian.org/debian-lts/2020/06/msg00063.html
>>>>>> that I prepared the jessie (4.1.8) and stretch ( updates at:
>>>>>> https://www.beuc.net/tmp/debian-lts/rails/
>>>>>> However the buster version ( is affected by a different set of
>>>>>> vulnerabilities, is much closer to bullseye (, and apparently
>>>>>> the update causes new issues.
>>>>>> That's why I think it'd make more sense for the rails maintainers to
>>>>>> backport the latest bullseye update.
>>>>>> Let me know what you plan to do.
>>>>>>>> Which security update broke what, exactly?
>>>>>>> The latest security update from to, which contained
>>>>>>> fixes for CVE-2020-816{2,4,5,6,7}.
>>>>>>> JavaScript bundle generation for Activestorage didn't work w/o that
>>>>>>> patch. We had to switch to node-babel7 for that.
>>>>>> I updated
>>>>>> https://wiki.debian.org/LTS/TestSuites/rails
>>>>>> accordingly.
>>>>>> The stretch updates passes this new test.
>>>>>> (Though in this particular case it may have just been due to node-babel
>>>>>> changes in unstable since March, e.g. babel7 is pulled through
>>>>>> node-regenerator-transform.)
>>>>> Status update: jessie and stretch are affected by new important
>>>>> CVE-2020-8163.
>>>>> buster and above not affected.
>>>>> Currently waiting for upstream's feedback on a second regression, then
>>>>> I'll prepare an update for jessie & stretch.
>>>> https://www.beuc.net/tmp/debian-lts/rails/ is updated.
>>>> Upstream showed little care for 4.x and I don't expect further feedback,
>>>> so I went ahead and backported:
>>>> https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f
>>>> to fix the regression, including tests.
>>>> Rationale at:
>>>> https://github.com/rails/rails/issues/39301#issuecomment-648885623
>>>> Note: redmine/stretch (< 3.4) was not affected by the regression.
>>> Attaching the debdiff for reference. The changes looks good to me, but
>>> I defintively would like to see a second pair of eyes here from the
>>> rails maintainers, in particular for CVE-2020-8163, Utkarsh?
>>> There is no lost work, but if we want to release a rails update for
>>> stretch (before it moves to LTS), we should try to get as well a rails
>>> update beeing prepared for buster, Utkarsh you indicated lack of time
>>> currently, any one other up from the rails maintainers?

Back to the initial topic, the current tasks underway are:

- stretch update review

The update is ready:

It includes an additional regression fix for CVE-2020-8163.

I requested upstream feedback but given that 4.x is EOL so far no luck.

Hence we called for a review from a Ruby/Rails-savvy DD.
(stretch moved from oldstable->LTS meanwhile, but the review would still
be appreciated)
Anyone up?

- buster update

I now "up-ported" my stretch work at:
+ added the redis side of CVE-2020-8165

I believe I would do a disservice to the community if I did a one-time
update masking possible problems with long-term maintenance, so I'm
leaving the other CVEs to fix
(cf. https://security-tracker.debian.org/tracker/source-package/rails)

Sylvain Beucler
Debian LTS Team

Reply to: