Re: rails update
- To: Debian Security Team <team@security.debian.org>
- Cc: Debian LTS <debian-lts@lists.debian.org>
- Subject: Re: rails update
- From: Sylvain Beucler <beuc@beuc.net>
- Date: Thu, 24 Sep 2020 23:14:54 +0200
- Message-id: <[🔎] 2b88dbf6-d1bb-b7f2-9f2b-89c8744677f7@beuc.net>
- In-reply-to: <20200715085321.sddzxrpajq7kapyx@inutil.org>
- References: <8676b38f-ba23-17a6-2fa6-2e26c9de0df0@beuc.net> <a1d12d8f-01e4-f290-59f6-c8e4d0dff833@beuc.net> <20200630203842.GA370369@eldamar.local> <ef824695-bcca-ad2d-17eb-8b9c0db79135@beuc.net> <9FC31F14-6432-4B28-8513-F22623028A76@onenetbeyond.org> <14e0c51a-7341-bc29-7d9c-0600a0154d64@beuc.net> <20200710082857.GA185102@pisco.westfalen.local> <eec1fd97-5908-6b61-57ac-d17040fdfbe8@beuc.net> <20200714202953.GA206124@pisco.westfalen.local> <0b7e0118-24f2-9d06-dbd7-e963f8272e57@beuc.net> <20200715085321.sddzxrpajq7kapyx@inutil.org>
Hi Security Team,
On 15/07/2020 10:53, Moritz Muehlenhoff wrote:
> On Wed, Jul 15, 2020 at 09:03:01AM +0200, Sylvain Beucler wrote:
>> On 14/07/2020 22:29, Moritz Mühlenhoff wrote:
>>> On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote:
>>>> On 10/07/2020 10:28, Moritz Mühlenhoff wrote:
>>>>> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
>>>>>> - buster update
>>>>>>
>>>>>> I now "up-ported" my stretch work at:
>>>>>> https://www.beuc.net/tmp/debian-lts/rails-buster/
>>>>>> + added the redis side of CVE-2020-8165
>>>>>
>>>>> What do you mean with up-ported? Applying a patch made for an older release
>>>>> to a more recent release will miss all code which wasn't present in
>>>>> the older suite.
>>>>
>>>> To phrase it more precisely, I went back to the upstream patches for
>>>> 5.2, applied them and unit-tested them.
>>>>
>>>> (debdiff.txt from the above URL attached for reference.)
>>>
>>> Thanks, please upload! (Target distro needs to be buster-security instead of
>>> UNRELEASED ofc)
>>
>> I can upload, though as I mentioned at [1] I prepared this as a basis
>> for the rails maintainers. It doesn't fix CVE-2020-8162/66/67 and didn't
>> go through the same level of testing than the jessie/stretch updates.
>>
>> [1] https://lists.debian.org/debian-lts/2020/07/msg00065.html
>
> Ah, I forgot about the missing CVEs, I'll add them myself on top of your patch
> (will test them with a Puppet setup, which makes plenty of use of Rails)
>
> So, no need to uploading :-)
I see that today's buster security update includes none of what I had
prepared.
To improve future collaboration, what there something you wanted to see
done differently?
Cheers!
Sylvain
Reply to: