[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rails update

Hi Security Team,

On 15/07/2020 10:53, Moritz Muehlenhoff wrote:
> On Wed, Jul 15, 2020 at 09:03:01AM +0200, Sylvain Beucler wrote:
>> On 14/07/2020 22:29, Moritz Mühlenhoff wrote:
>>> On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote:
>>>> On 10/07/2020 10:28, Moritz Mühlenhoff wrote:
>>>>> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
>>>>>> - buster update
>>>>>> I now "up-ported" my stretch work at:
>>>>>> https://www.beuc.net/tmp/debian-lts/rails-buster/
>>>>>> + added the redis side of CVE-2020-8165
>>>>> What do you mean with up-ported? Applying a patch made for an older release
>>>>> to a more recent release will miss all code which wasn't present in
>>>>> the older suite.
>>>> To phrase it more precisely, I went back to the upstream patches for
>>>> 5.2, applied them and unit-tested them.
>>>> (debdiff.txt from the above URL attached for reference.)
>>> Thanks, please upload! (Target distro needs to be buster-security instead of
>> I can upload, though as I mentioned at [1] I prepared this as a basis
>> for the rails maintainers. It doesn't fix CVE-2020-8162/66/67 and didn't
>> go through the same level of testing than the jessie/stretch updates.
>> [1] https://lists.debian.org/debian-lts/2020/07/msg00065.html
> Ah, I forgot about the missing CVEs, I'll add them myself on top of your patch
> (will test them with a Puppet setup, which makes plenty of use of Rails)
> So, no need to uploading :-)

I see that today's buster security update includes none of what I had

To improve future collaboration, what there something you wanted to see
done differently?


Reply to: