Re: Issues regarding ruby-rack/CVE-2019-16782
Hi
I think a no-dsa (ignored) would be good in this case.
Ignored because we have been quite detailed in the analysis and the
upstream fix causes a regression.
// Ola
On Thu, 23 Apr 2020 at 23:40, Utkarsh Gupta <utkarsh@debian.org> wrote:
>
> Hi Brian,
>
> On Fri, Apr 24, 2020 at 2:49 AM Brian May <bam@debian.org> wrote:
> > For reference I filled a similar bug against Django
> > <https://code.djangoproject.com/ticket/31412#comment:8> and they
> > responded with:
> >
> > > After consideration, the Django Security Team conclude that this is not
> > > a practical attack vector.
> > >
> > > Work on the related hardenings, such as the referenced tickets should
> > > continue.
> >
> > I am inclined to think we do not need to worry about patching old
> > releases for this vulnerability for similar reasons.
>
> Thank you for this. I've started to think on the same lines.
> During this weekend, I'll take a quick look over what other
> distributions are doing for this.
>
> And if I don't find something, we could perhaps mark this as "no-dsa"?
> I've updated the version (and this is fixed) in unstable/testing.
> However, I'll close the bug with the next update after cross-checking
> if everything, indeed, is alright.
>
> Let me know if this seems alright?
>
>
> Best,
> Utkarsh
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: