Hi Ola, On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote: > Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team > > This is my third package contribution to Debian LTS. I'm doing this as a > training exercise and this is why the maintainer have not been asked to > this for me. > > I have prepared an update of the ruby-activerecord-3.2 package with a fix > for > https://security-tracker.debian.org/tracker/CVE-2015-7577 > > What i have done is to take the CVE-2015-7577.patch file from the rails > 2:4.1.8-1+deb8u2 package in jessie. > Two out of three chunks applied cleanly and the third one was simple to > copy-paste in place. > > I have also written a very simple test application from an example. It does > not test the specific security problem but at least show that there is no
Does it make sense to add this as an autopkgtest? > obvious regression problem. If you know of an easy way to do more extended > testing of this update then please let me know (or run it yourself and let > me know the results). As the source is so similar between the rails package > and this I trust that the extra test introduced in rails will cover the > specific problem even though I have not run it specifically (it is part of > the whole rails suite and not trivial to extract parts of it). > > You can find the debdiff here: > http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff This looks good to me. Cheers, -- Guido
