Your message dated Fri, 29 Mar 2019 09:54:53 +0000 with message-id <E1h9oDt-0000Zv-5R@respighi.debian.org> and subject line unblock ruby2.5 has caused the Debian Bug report #925923, regarding unblock: ruby2.5/2.5.5-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 925923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925923 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: ruby2.5/2.5.5-1
- From: Antonio Terceiro <terceiro@debian.org>
- Date: Thu, 28 Mar 2019 13:03:57 -0300
- Message-id: <[🔎] 20190328160357.GA4601@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby2.5. This is a maintainance-only new upstream release that includes fixes for important bugs, and 6 security bugs. Changelog: ruby2.5 (2.5.5-1) unstable; urgency=medium . * New upstream version 2.5.5. Includes a series of bug fixes, most notably for 6 security bugs discovered in Rubygems: - CVE-2019-8320: Delete directory using symlink when decompressing tar - CVE-2019-8321: Escape sequence injection vulnerability in verbose - CVE-2019-8322: Escape sequence injection vulnerability in gem owner - CVE-2019-8323: Escape sequence injection vulnerability in API response handling - CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution - CVE-2019-8325: Escape sequence injection vulnerability in errors * Rebase patches. The following patches were applied upstream and dropped from the Debian package: - 0011-Update-for-tzdata-2018f.patch - 0012-test-update-test-certificate.patch The full diff against the version in testing is attached. It's a bit big, but I have reviewed the changes and there is nothing worrysome from my POV. You will notice that a few functions are renamed, but they are not part of the API or the ABI since they are not exported in the -dev header files. Having this version in buster will make the maintainance in stable a lot easier. unblock ruby2.5/2.5.5-1 -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_CRAP Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE=pt_BR:pt:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabledAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 925923-done@bugs.debian.org
- Subject: unblock ruby2.5
- From: Emilio Pozuelo Monfort <pochu@respighi.debian.org>
- Date: Fri, 29 Mar 2019 09:54:53 +0000
- Message-id: <E1h9oDt-0000Zv-5R@respighi.debian.org>
Unblocked.
--- End Message ---