[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

Hi Daniel,

On Thu, Mar 16, 2023 at 7:06 PM Utkarsh Gupta
<guptautkarsh2102@gmail.com> wrote:
> Please hold off on the update for a while. I have something to add wrt
> ruby-rails-html-sanitizer. I just haven't had the time to write it
> down, I'll get back in another ~7h.

In order to fix the CVEs of ruby-rails-html-sanitizer (also in
dla-needed), we need to ensure that the newer methods that the library
uses from newer loofah are backported. Some of these methods would've
been backported by you already (as a part of fixing the CVEs in
ruby-loofah) and there might be some remaining.

I could do a thorough review of your patches if you'd like? (let me
know) and make sure that we have everything that we might need for
ruby-rails-html-sanitizer, too. I also propose that we release the two
around the same time (after
smoke-testing, ensuring that the two work well with each other). I
suppose everyone using rails-html-sanitizer should be using loofah,
too, so it's important we fix both and test them well. :)


- u
Reply to: