Re: rails update

To: Debian Security Team <team@security.debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: rails update
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 28 Sep 2020 12:25:06 +0200
Message-id: <[🔎] 1e3e2b28-dfe9-6b51-065e-71f3ff478b3f@beuc.net>
In-reply-to: <[🔎] 2b88dbf6-d1bb-b7f2-9f2b-89c8744677f7@beuc.net>
References: <8676b38f-ba23-17a6-2fa6-2e26c9de0df0@beuc.net> <a1d12d8f-01e4-f290-59f6-c8e4d0dff833@beuc.net> <20200630203842.GA370369@eldamar.local> <ef824695-bcca-ad2d-17eb-8b9c0db79135@beuc.net> <9FC31F14-6432-4B28-8513-F22623028A76@onenetbeyond.org> <14e0c51a-7341-bc29-7d9c-0600a0154d64@beuc.net> <20200710082857.GA185102@pisco.westfalen.local> <eec1fd97-5908-6b61-57ac-d17040fdfbe8@beuc.net> <20200714202953.GA206124@pisco.westfalen.local> <0b7e0118-24f2-9d06-dbd7-e963f8272e57@beuc.net> <20200715085321.sddzxrpajq7kapyx@inutil.org> <[🔎] 2b88dbf6-d1bb-b7f2-9f2b-89c8744677f7@beuc.net>

On 24/09/2020 23:14, Sylvain Beucler wrote:
> Hi Security Team,
> 
> On 15/07/2020 10:53, Moritz Muehlenhoff wrote:
>> On Wed, Jul 15, 2020 at 09:03:01AM +0200, Sylvain Beucler wrote:
>>> On 14/07/2020 22:29, Moritz Mühlenhoff wrote:
>>>> On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote:
>>>>> On 10/07/2020 10:28, Moritz Mühlenhoff wrote:
>>>>>> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
>>>>>>> - buster update
>>>>>>>
>>>>>>> I now "up-ported" my stretch work at:
>>>>>>> https://www.beuc.net/tmp/debian-lts/rails-buster/
>>>>>>> + added the redis side of CVE-2020-8165
>>>>>>
>>>>>> What do you mean with up-ported? Applying a patch made for an older release
>>>>>> to a more recent release will miss all code which wasn't present in
>>>>>> the older suite.
>>>>>
>>>>> To phrase it more precisely, I went back to the upstream patches for
>>>>> 5.2, applied them and unit-tested them.
>>>>>
>>>>> (debdiff.txt from the above URL attached for reference.)
>>>>
>>>> Thanks, please upload! (Target distro needs to be buster-security instead of
>>>> UNRELEASED ofc)
>>>
>>> I can upload, though as I mentioned at [1] I prepared this as a basis
>>> for the rails maintainers. It doesn't fix CVE-2020-8162/66/67 and didn't
>>> go through the same level of testing than the jessie/stretch updates.
>>>
>>> [1] https://lists.debian.org/debian-lts/2020/07/msg00065.html
>>
>> Ah, I forgot about the missing CVEs, I'll add them myself on top of your patch
>> (will test them with a Puppet setup, which makes plenty of use of Rails)
>>
>> So, no need to uploading :-)
> 
> I see that today's buster security update includes none of what I had
> prepared.
> 
> To improve future collaboration, what there something you wanted to see
> done differently?

Ping?

Cheers!
Sylvain

Reply to:

References:
- Re: rails update
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Next by Date: Bug#971264: mediawiki: ParseError after 1.27.7-1~deb9u4 upgrade (blame patch for User::pingLimiter)
Previous by thread: Re: rails update
Next by thread: Thoughts on CVE-2020-15049/squid3?
Index(es):
- Date
- Thread