Re: rails update
On 08/07/2020 18:32, email@example.com wrote:
> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
>> Back to the initial topic, the current tasks underway are:
>> - stretch update review
>> The update is ready:
>> It includes an additional regression fix for CVE-2020-8163.
>> I requested upstream feedback but given that 4.x is EOL so far no luck.
>> Hence we called for a review from a Ruby/Rails-savvy DD.
>> (stretch moved from oldstable->LTS meanwhile, but the review would still
>> be appreciated)
>> Anyone up?
>> - buster update
>> I now "up-ported" my stretch work at:
>> + added the redis side of CVE-2020-8165
>> I believe I would do a disservice to the community if I did a one-time
>> update masking possible problems with long-term maintenance, so I'm
>> leaving the other CVEs to fix
>> (cf. https://security-tracker.debian.org/tracker/source-package/rails)
> I looked briefly at both updates, and the new patches included in them
> look sane and reasonable.
Thanks for your review!
Also my regression fix for CVE-2020-8163 (4.x) was merged: