Re: CVE-2021-28965

To: 986806@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>, debian-ruby <debian-ruby@lists.debian.org>
Subject: Re: CVE-2021-28965
From: Pirate Praveen <praveen@onenetbeyond.org>
Date: Fri, 16 Apr 2021 15:22:24 +0530
Message-id: <[🔎] C3INRQ.UM7H2BI67AU32@onenetbeyond.org>

On Mon, 12 Apr 2021 12:05:29 +0200 Moritz Muehlenhoff <jmm@debian.org>wrote:>https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/

> Why is there a separate package duplicating rexml from src:ruby2.7in bullseye?

I think the separate package was introduced by mistake without seeingthe copy embedded in ruby. I think the right way is to fix this in rubyand remove this separate package. But I'd like someone from ruby teamto confirm this.

Reply to:

Follow-Ups:
- Re: CVE-2021-28965
  - From: Antonio Terceiro <terceiro@debian.org>
- Re: CVE-2021-28965
  - From: Utkarsh Gupta <utkarsh@debian.org>

Prev by Date: Re: plan for cinc, chef and ohai and some of its components packaging
Next by Date: Re: CVE-2021-28965
Previous by thread: Re: plan for cinc, chef and ohai and some of its components packaging
Next by thread: Re: CVE-2021-28965
Index(es):
- Date
- Thread