Hiya,
On 22/12/19 9:32 am, Youhei SASAKI wrote:
Hi folks,
I pushed security fix(CVE-2019-16782) of ruby-rack package for buster.
branch: https://salsa.debian.org/ruby-team/ruby-rack/tree/buster
CVE info: https://security-tracker.debian.org/tracker/CVE-2019-16782
Please review this branch.
Only a couple of days back, I sent a mail[1] to the security team,
asking them to *not* upload ruby-rack to Jessie, Stretch, Buster.
Reason being, the patch upstream provides introduces a regression,
resulting in some issues in using the library.
Also, there's a slight possibility of this patch inducing a backdoor on
it's own.
Both the issues have been opened upstream.
What I'd suggest is to patch this CVE when both of the above issues are
fixed, too.
Let me know if you have any questions?
Best,
Utkarsh
---
[1]: https://lists.debian.org/debian-lts/2019/12/msg00050.html