Re: rails update

To: debian-ruby@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: rails update
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 10 Jul 2020 17:40:10 +0200
Message-id: <[🔎] a7fe951a-b8e6-cfd6-5dbf-97d5af1f109c@beuc.net>
In-reply-to: <[🔎] 20200708163253.GA191303@debian.org>
References: <CAPP0f94Xo6EXMYW36TPDEZAkd_dRe9=LB5rcHx69-vD=tVYEcQ@mail.gmail.com> <d1871be0-9720-4b5f-584a-e235de8cae03@beuc.net> <CAPP0f94+5=t=_yVJTK0vpkGGaHjvAZEOQdHUc9i9q6Rt=n+Z+Q@mail.gmail.com> <88277ac1-d2a3-cc90-c448-e8edfcc83562@beuc.net> <8676b38f-ba23-17a6-2fa6-2e26c9de0df0@beuc.net> <a1d12d8f-01e4-f290-59f6-c8e4d0dff833@beuc.net> <20200630203842.GA370369@eldamar.local> <[🔎] ef824695-bcca-ad2d-17eb-8b9c0db79135@beuc.net> <[🔎] 9FC31F14-6432-4B28-8513-F22623028A76@onenetbeyond.org> <[🔎] 14e0c51a-7341-bc29-7d9c-0600a0154d64@beuc.net> <[🔎] 20200708163253.GA191303@debian.org>

Hi Antonio,

On 08/07/2020 18:32, terceiro@debian.org wrote:
> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
>> Back to the initial topic, the current tasks underway are:
>>
>>
>> - stretch update review
>>
>> The update is ready:
>> https://www.beuc.net/tmp/debian-lts/rails/
>>
>> It includes an additional regression fix for CVE-2020-8163.
>> https://security-tracker.debian.org/tracker/CVE-2020-8163
>>
>> I requested upstream feedback but given that 4.x is EOL so far no luck.
>> https://github.com/rails/rails/issues/39301#issuecomment-648885623
>> https://github.com/rails/rails/pull/39806
>>
>> Hence we called for a review from a Ruby/Rails-savvy DD.
>> (stretch moved from oldstable->LTS meanwhile, but the review would still
>> be appreciated)
>> Anyone up?
>>
>>
>> - buster update
>>
>> I now "up-ported" my stretch work at:
>> https://www.beuc.net/tmp/debian-lts/rails-buster/
>> + added the redis side of CVE-2020-8165
>>
>> I believe I would do a disservice to the community if I did a one-time
>> update masking possible problems with long-term maintenance, so I'm
>> leaving the other CVEs to fix
>> (cf. https://security-tracker.debian.org/tracker/source-package/rails)
> 
> I looked briefly at both updates, and the new patches included in them
> look sane and reasonable.

Thanks for your review!

Also my regression fix for CVE-2020-8163 (4.x) was merged:
https://github.com/rails/rails/commit/0ecaaf76d1b79cf2717cdac754e55b4114ad6599

Cheers!
Sylvain

Reply to:

References:
- Re: rails update
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: rails update
  - From: Pirate Praveen <praveen@onenetbeyond.org>
- Re: rails update
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: rails update
  - From: terceiro@debian.org

Prev by Date: Re: rails update
Next by Date: Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Previous by thread: Re: rails update
Next by thread: Re: rails update
Index(es):
- Date
- Thread