On Sat, Nov 04, 2017 at 10:08:36PM +0100, Salvatore Bonaccorso wrote: > Hi Antonio > > Sorry for the late reply > > On Mon, Oct 23, 2017 at 11:49:28AM -0200, Antonio Terceiro wrote: > > Hi security team, > > > > I have prepared a security update for ruby2.3. > > > > It includes all the pending recent CVE's, plus a fix for a bug that > > causes runaway child processes hogging the CPU, noticed at least in > > puppet. > > For the later one, not directly a security issue, strictly speaking we > would need an ack from the SRM to see they would ack it to a point > release and then we can pick it as well for a security update. The > patch though looks confined enough that I would trust it's okay as > well for SRM to see it included (Cc'ed explicity Adam). > > > The test suite still passes both during build, and under autopkgtest. I > > am running these packages on my workstation since yesterday. The patches > > are targeted enough that I don't expect any regressions. > > > > As I explained before, unfortunately the patch management for ruby2.3 is > > not optimal, so I attach both the debdiff and the individual patches > > that I applied to the git repository. The later will make your review > > work easier. > > > > You can also inspect the git repository: > > https://anonscm.debian.org/cgit/collab-maint/ruby.git/log/?h=debian/stretch > > Yes thank you. Please go ahead with the upload to security-master > (unless you in meanwhile have found any regression caused by the > update on your workstation).
Uploaded.
signature.asc
Description: PGP signature
