Your message dated Mon, 8 Apr 2019 15:45:49 +0200 with message-id <20190408134547.ct4weef6yhlqytui@debian.org> and subject line Re: unblock: ruby-doorkeeper-openid-connect/1.5.5-1 has caused the Debian Bug report #925604, regarding unblock: ruby-doorkeeper-openid-connect/1.5.5-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 925604: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925604 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: ruby-doorkeeper-openid-connect/1.5.5-1
- From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
- Date: Wed, 27 Mar 2019 19:11:57 +0530
- Message-id: <CAPP0f94zFLkgeSmyxjDZ+6abGqPSVQwKsHbNNn7V1JmRYmiTPw@mail.gmail.com>
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
Hey,
Please unblock package ruby-doorkeeper-openid-connect.
There was a CVE bug (#924747) reported against the package with severity: grave.
It was reported on 16th March and was resolved in the latest upload, which was on 24th March.
Thus, requesting you to please unblock the same and let it be a part of Buster, as was going to :)
Best,
Utkarsh
unblock ruby-doorkeeper-openid-connect/1.5.5-1
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: Utkarsh Gupta <guptautkarsh2102@gmail.com>
- Cc: 925604-done@bugs.debian.org
- Subject: Re: unblock: ruby-doorkeeper-openid-connect/1.5.5-1
- From: Ivo De Decker <ivodd@debian.org>
- Date: Mon, 8 Apr 2019 15:45:49 +0200
- Message-id: <20190408134547.ct4weef6yhlqytui@debian.org>
- In-reply-to: <[🔎] CAPP0f9475yzh6wZxN48gkLdgAhiZ0H--Vu9puUET9k2PT8MPrQ@mail.gmail.com>
- References: <CAPP0f94zFLkgeSmyxjDZ+6abGqPSVQwKsHbNNn7V1JmRYmiTPw@mail.gmail.com> <20190330161124.3n37ygpvs4g5gcly@debian.org> <[🔎] CAPP0f9475yzh6wZxN48gkLdgAhiZ0H--Vu9puUET9k2PT8MPrQ@mail.gmail.com>
Hi, On Thu, Apr 04, 2019 at 06:05:40AM +0530, Utkarsh Gupta wrote: > On Sat, Mar 30, 2019 at 9:41 PM Ivo De Decker <ivodd@debian.org> wrote: > > Control: tags -1 moreinfo > > Hi, > > On Wed, Mar 27, 2019 at 07:11:57PM +0530, Utkarsh Gupta wrote: > > Please unblock package ruby-doorkeeper-openid-connect. > > > > There was a CVE bug (#924747) reported against the package with severity: > > grave. > > It was reported on 16th March and was resolved in the latest upload, > which was > > on 24th March. > > Thus, requesting you to please unblock the same and let it be a part of > Buster, > > as was going to :) > > This upload seems to include a number of changes other than the fix for the > security issue. This doesn't seem to comply with the freeze policy. Perhaps > you can clarify the changes. Otherwise, please revert the upload and upload > a > targeted fix for this issue. > > > I do understand your point but the there are only minor changes done except for > the bug fixing :( The diffstat is 88 files changed, 2520 insertions(+), 59 deletions(-) That's not 'only minor changes'. > I was hoping for it to get unblocked (that is why I didn't do a minor update > but just a patch update). > Also, since gitlab is its only reverse dependency, it'll not be a problem to > unblock I guess? No. We are only accepting targeted fixes. So I'm closing this bug. > If not possible, I'd perhaps be targetting for buster-backports, but was > wishing to be unblocked to avoid other workarounds. You can still revert the changes in unstable and upload a targeted fix for the CVE. If that doesn't happen, removing ruby-doorkeeper-openid-connect from buster will be the only option. Thanks, Ivo
--- End Message ---