On Thu, Oct 12, 2017 at 01:27:41PM -0700, Bill Lipa wrote: > There have been a number of CVEs in Ruby announced recently, for example: > > https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/ > > Do these get picked up in the Debian ruby packages? Yes. They are in the maintainers's TODO list. > Is it possible to > update ruby2.3 to the 2.3.5 minor version? No > I wasn't able to find much information about Debian ruby security / > maintenance policies. Basically it's the same as Debian in general. Usually we don't get full new upstream releases to avoid regressions, and apply individual security fixes and fixes for other important bugs.
Attachment:
signature.asc
Description: PGP signature