Re: Please review ruby-rack security fix CVE-2019-16782

[Youhei SASAKI <uwabami@gfd-dennou.org>]

Hi,

Thanks for your information.
I wait upstream fix.

Best Wishes,
Youhei


On December 22, 2019 7:46:40 PM Utkarsh Gupta <guptautkarsh2102@gmail.com> 
wrote:

> Hiya,
>
> On 22/12/19 9:32 am, Youhei SASAKI wrote:
> > Hi folks,
> >
> > I pushed security fix(CVE-2019-16782) of ruby-rack package for buster.
> >
> >   branch: https://salsa.debian.org/ruby-team/ruby-rack/tree/buster
> >   CVE info: https://security-tracker.debian.org/tracker/CVE-2019-16782
> >
> > Please review this branch.
>
> Only a couple of days back, I sent a mail[1] to the security team,
> asking them to *not* upload ruby-rack to Jessie, Stretch, Buster.
> Reason being, the patch upstream provides introduces a regression,
> resulting in some issues in using the library.
> Also, there's a slight possibility of this patch inducing a backdoor on
> it's own.
>
> Both the issues have been opened upstream.
> What I'd suggest is to patch this CVE when both of the above issues are
> fixed, too.
> Let me know if you have any questions?
>
>
> Best,
> Utkarsh
> ---
> [1]: https://lists.debian.org/debian-lts/2019/12/msg00050.html