On Wed, Oct 29, 2014 at 09:30:28PM +0100, Niels Thykier wrote: > On 2014-10-29 17:15, Antonio Terceiro wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian.org@packages.debian.org > > Usertags: unblock > > > > Please unblock package ruby2.1, or age it so that it gets into testing > > before the freeze. > > > > This is a new bug fix only upstream release, which contains fixes for > > two security issues. Quoting the changelog: > > > > * New upstream version > > - CVE-2014-8080: Denial of Service in XML Expansion > > - Changes default settings in OpenSSL bindings to not use deprecated and > > insecure ciphers; avoids issues associated to CVE-2014-3566 (i.e. the > > "POODLE" bug in OpenSSL) > > > > The debdiff against the package in testing is attached. It does contains > > other bugfixes, but no API/ABI changes and nothing that should disrupt > > existing software unless said software is actually depending on those > > bugs. > > > > [...] > > The ruby2.1 package should migrate on its own tomorrow night, which is 5 > days before the freeze. Unless its migration is stalled by something, > there is no reason for us to add an unblock. Accordingly, I will close > this bug now. I'm confused. I was under the assumption that at this point the urgency field was being ignored and that all packages were waiting 10 days, so that explicit aging had to be applied; I made 2 requests yesterday which were handled by aging the packages to 5 days. Is urgency=high handled differently? > However, please keep an eye on Ruby2.1 to ensure it migrates to testing > before the 5th of November. If it has not migrated in a couple of days, > please do not hesitate to contact us, so we can deal with it before the > freeze occurs. Sure. There are no open issues that I am aware of, and I don't expect any to arise until the freeze. -- Antonio Terceiro <terceiro@debian.org>
Attachment:
signature.asc
Description: Digital signature