Re: CVE-2021-28965

To: 986806@bugs.debian.org
Cc: debian-ruby <debian-ruby@lists.debian.org>, Debian Security Team <team@security.debian.org>, Pirate Praveen <praveen@onenetbeyond.org>
Subject: Re: CVE-2021-28965
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Sat, 17 Apr 2021 22:16:29 +0530
Message-id: <[🔎] CAPP0f95pZT0WwGNp-VdXrmfd5eQKzCVWTPce3tXy60SHWOggqg@mail.gmail.com>
In-reply-to: <[🔎] C3INRQ.UM7H2BI67AU32@onenetbeyond.org>
References: <[🔎] C3INRQ.UM7H2BI67AU32@onenetbeyond.org>

Hi Praveen,

On Fri, Apr 16, 2021 at 3:24 PM Pirate Praveen <praveen@onenetbeyond.org> wrote:
> I think the separate package was introduced by mistake without seeing
> the copy embedded in ruby. I think the right way is to fix this in ruby
> and remove this separate package. But I'd like someone from ruby team
> to confirm this.

Makes sense. Probably the time to RM ruby-rexml from the archive is *now*?

As for fixing this in src:ruby2.7, see #986742. TL;DR: ruby2.7 2.7.3-1
was uploaded to fix this earlier today.

- u

Reply to:

Follow-Ups:
- Re: CVE-2021-28965
  - From: Pirate Praveen <praveen@onenetbeyond.org>

References:
- Re: CVE-2021-28965
  - From: Pirate Praveen <praveen@onenetbeyond.org>

Prev by Date: Re: Bug#986742: unblock: ruby2.7/2.7.3-1
Next by Date: Re: CVE-2021-28965
Previous by thread: Re: CVE-2021-28965
Next by thread: Re: CVE-2021-28965
Index(es):
- Date
- Thread