Re: CVE-2021-28965

To: Pirate Praveen <praveen@onenetbeyond.org>
Cc: 986806@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>, debian-ruby <debian-ruby@lists.debian.org>
Subject: Re: CVE-2021-28965
From: Antonio Terceiro <terceiro@debian.org>
Date: Sat, 17 Apr 2021 10:41:17 -0300
Message-id: <[🔎] YHrlfegOPYoh3ZX1@debian.org>
Mail-followup-to: Antonio Terceiro <terceiro@debian.org>, Pirate Praveen <praveen@onenetbeyond.org>, 986806@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>, debian-ruby <debian-ruby@lists.debian.org>
In-reply-to: <[🔎] C3INRQ.UM7H2BI67AU32@onenetbeyond.org>
References: <[🔎] C3INRQ.UM7H2BI67AU32@onenetbeyond.org>

On Fri, Apr 16, 2021 at 03:22:24PM +0530, Pirate Praveen wrote:
> On Mon, 12 Apr 2021 12:05:29 +0200 Moritz Muehlenhoff <jmm@debian.org>
> wrote:
> > https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
> >
> > Why is there a separate package duplicating rexml from src:ruby2.7 in
> bullseye?
> 
> I think the separate package was introduced by mistake without seeing the
> copy embedded in ruby. I think the right way is to fix this in ruby and
> remove this separate package. But I'd like someone from ruby team to confirm
> this.

agreed.

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Re: CVE-2021-28965
  - From: Pirate Praveen <praveen@onenetbeyond.org>

Prev by Date: Re: CVE-2021-28965
Next by Date: Re: Bug#986742: unblock: ruby2.7/2.7.3-1
Previous by thread: Re: CVE-2021-28965
Next by thread: Re: CVE-2021-28965
Index(es):
- Date
- Thread