[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rails update

Hi Antonio,

On 08/07/2020 18:32, terceiro@debian.org wrote:
> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
>> Back to the initial topic, the current tasks underway are:
>> - stretch update review
>> The update is ready:
>> https://www.beuc.net/tmp/debian-lts/rails/
>> It includes an additional regression fix for CVE-2020-8163.
>> https://security-tracker.debian.org/tracker/CVE-2020-8163
>> I requested upstream feedback but given that 4.x is EOL so far no luck.
>> https://github.com/rails/rails/issues/39301#issuecomment-648885623
>> https://github.com/rails/rails/pull/39806
>> Hence we called for a review from a Ruby/Rails-savvy DD.
>> (stretch moved from oldstable->LTS meanwhile, but the review would still
>> be appreciated)
>> Anyone up?
>> - buster update
>> I now "up-ported" my stretch work at:
>> https://www.beuc.net/tmp/debian-lts/rails-buster/
>> + added the redis side of CVE-2020-8165
>> I believe I would do a disservice to the community if I did a one-time
>> update masking possible problems with long-term maintenance, so I'm
>> leaving the other CVEs to fix
>> (cf. https://security-tracker.debian.org/tracker/source-package/rails)
> I looked briefly at both updates, and the new patches included in them
> look sane and reasonable.

Thanks for your review!

Also my regression fix for CVE-2020-8163 (4.x) was merged:


Reply to: