Hiya, On 22/12/19 9:32 am, Youhei SASAKI wrote: > Hi folks, > > I pushed security fix(CVE-2019-16782) of ruby-rack package for buster. > > branch: https://salsa.debian.org/ruby-team/ruby-rack/tree/buster > CVE info: https://security-tracker.debian.org/tracker/CVE-2019-16782 > > Please review this branch. Only a couple of days back, I sent a mail[1] to the security team, asking them to *not* upload ruby-rack to Jessie, Stretch, Buster. Reason being, the patch upstream provides introduces a regression, resulting in some issues in using the library. Also, there's a slight possibility of this patch inducing a backdoor on it's own. Both the issues have been opened upstream. What I'd suggest is to patch this CVE when both of the above issues are fixed, too. Let me know if you have any questions? Best, Utkarsh --- [1]: https://lists.debian.org/debian-lts/2019/12/msg00050.html
Attachment:
signature.asc
Description: OpenPGP digital signature