[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925604: marked as done (unblock: ruby-doorkeeper-openid-connect/1.5.5-1)

Your message dated Mon, 8 Apr 2019 15:45:49 +0200
with message-id <20190408134547.ct4weef6yhlqytui@debian.org>
and subject line Re: unblock: ruby-doorkeeper-openid-connect/1.5.5-1
has caused the Debian Bug report #925604,
regarding unblock: ruby-doorkeeper-openid-connect/1.5.5-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
925604: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925604
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Hey,

Please unblock package ruby-doorkeeper-openid-connect.

There was a CVE bug (#924747) reported against the package with severity: grave.
It was reported on 16th March and was resolved in the latest upload, which was on 24th March.
Thus, requesting you to please unblock the same and let it be a part of Buster, as was going to :)


Best,
Utkarsh

unblock ruby-doorkeeper-openid-connect/1.5.5-1

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Hi,

On Thu, Apr 04, 2019 at 06:05:40AM +0530, Utkarsh Gupta wrote:
> On Sat, Mar 30, 2019 at 9:41 PM Ivo De Decker <ivodd@debian.org> wrote:
> 
>     Control: tags -1 moreinfo
> 
>     Hi,
> 
>     On Wed, Mar 27, 2019 at 07:11:57PM +0530, Utkarsh Gupta wrote:
>     > Please unblock package ruby-doorkeeper-openid-connect.
>     >
>     > There was a CVE bug (#924747) reported against the package with severity:
>     > grave.
>     > It was reported on 16th March and was resolved in the latest upload,
>     which was
>     > on 24th March.
>     > Thus, requesting you to please unblock the same and let it be a part of
>     Buster,
>     > as was going to :)
> 
>     This upload seems to include a number of changes other than the fix for the
>     security issue. This doesn't seem to comply with the freeze policy. Perhaps
>     you can clarify the changes. Otherwise, please revert the upload and upload
>     a
>     targeted fix for this issue.
> 
> 
> I do understand your point but the there are only minor changes done except for
> the bug fixing :(

The diffstat is
88 files changed, 2520 insertions(+), 59 deletions(-)

That's not 'only minor changes'.

> I was hoping for it to get unblocked (that is why I didn't do a minor update
> but just a patch update).
> Also, since gitlab is its only reverse dependency, it'll not be a problem to
> unblock I guess?

No. We are only accepting targeted fixes. So I'm closing this bug.

> If not possible, I'd perhaps be targetting for buster-backports, but was
> wishing to be unblocked to avoid other workarounds.

You can still revert the changes in unstable and upload a targeted fix for the
CVE. If that doesn't happen, removing ruby-doorkeeper-openid-connect from
buster will be the only option.

Thanks,

Ivo

--- End Message ---
Reply to: