Re: Issues regarding ruby-rack/CVE-2019-16782

To: Utkarsh Gupta <guptautkarsh2102@gmail.com>, Debian Security Team <team@security.debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Issues regarding ruby-rack/CVE-2019-16782
From: Brian May <bam@debian.org>
Date: Fri, 24 Apr 2020 07:19:34 +1000
Message-id: <[🔎] 87h7x9ew7t.fsf@silverfish.pri>
In-reply-to: <5cfc2ed4-5b07-1b2c-5997-4b104e281491@gmail.com>
References: <5cfc2ed4-5b07-1b2c-5997-4b104e281491@gmail.com>

Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:

> Please don't yet patch CVE-2019-16782 for Buster, Stretch, Jessie, et al.
> This security update induces a regression, resulting in some issues in
> using the library.
> Also, there's a slight possibility of this patch inducing a backdoor on
> it's own.
>
> The issues have already been opened to/with the upstream and I hope
> they're looking into it.
> P.S. Shall update here when available :)

For reference I filled a similar bug against Django
<https://code.djangoproject.com/ticket/31412#comment:8> and they
responded with:

> After consideration, the Django Security Team conclude that this is not
> a practical attack vector.
>
> Work on the related hardenings, such as the referenced tickets should
> continue.

I am inclined to think we do not need to worry about patching old
releases for this vulnerability for similar reasons.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Utkarsh Gupta <utkarsh@debian.org>

Prev by Date: Re: Limiting concurrent claims?
Next by Date: Re: Issues regarding ruby-rack/CVE-2019-16782
Previous by thread: Re: Issues regarding ruby-rack/CVE-2019-16782
Next by thread: Re: Issues regarding ruby-rack/CVE-2019-16782
Index(es):
- Date
- Thread