Hi, On Sat, 15 May 2021 11:18:31 +0000 Debian FTP Masters <ftpmas...@ftp-master.debian.org> wrote: > rails (2:6.0.3.7+dfsg-1) unstable; urgency=high > . > * Upload to unstable directly. > * New upstream version 6.0.3.7+dfsg. (Closes: #988214) > - Prevent slow regex when parsing host authorization header. > (Fixed: CVE-2021-22904) > - Prevent catastrophic backtracking during mime parsing. > (Fixes: CVE-2021-22902) > - Prevent string polymorphic route arguments. > (Fixes: CVE-2021-22885)
This new rails version renewed its versioned dependency on ruby-marcel. The new ruby-marcel version doesn't look like a targeted fix, so it doesn't fit the freeze policy. If I read the changelog correctly, this dependency is there to give rails a more relaxed license. I think such a change is not really needed at this stage of the freeze, does rails still work with the old version of ruby-marcel and can the version bump be reverted? Paul
OpenPGP_signature
Description: OpenPGP digital signature
