Hi Security Team, Utkarsh, On 19/06/2020 11:40, Salvatore Bonaccorso wrote: > On Wed, Jun 17, 2020 at 11:09:41PM +0200, Sylvain Beucler wrote: >> I'm currently testing an update for jessie and I can prepare an update >> for stretch (which appears to be similar). >> (not sure what's the plan for buster) >> Would you be interested? > > Yes if you are interested in contributing the updates, help is > welcome. Apart the proposed debdiffs, would be ideal to hear what you > were able to test/check.
Here's the prepared stretch update: https://www.beuc.net/tmp/debian-lts/rails/ https://www.beuc.net/tmp/debian-lts/rails/debdiff.txt Testing was documented at: https://wiki.debian.org/LTS/TestSuites/rails It includes running the DEP-8 tests (which deploys a full app) and running the full upstream testsuite. Test cases for the 2 CVEs were backported. > So assuming you are intersted in preparing the stretch-security one, > would you as well work on the buster-security one? (it has different > set of open CVEs to be addressed). The buster version is different and introduces 3 new vulnerabilities, which strays a bit too far off my current work on rails. I believe the package maintainers (possibly Utkarsh) would be in better position to prepare the buster update. If the rails maintainers are not available though I can step in. On 19/06/2020 19:20, Utkarsh Gupta wrote: > On Fri, Jun 19, 2020 at 10:46 PM Utkarsh Gupta <utka...@debian.org> wrote: >> Just letting you know with my rails' maintainer hat on.. >> I faced a regression where I think, activestorage (one of rails' binary), >> broke and in turn, it broke a bunch of other gems as well. >> >> Please ensure that the fix of these CVE(s) won't break other libraries >> because otherwise, it would mess up an instance. >> Of course, the tests would pass, but if you can check and ensure that >> it's not breaking other stuff, you're good to go! :) > > Also, I think it originated due to babel (I am not sure though!), but that > was > the closest I got to when debugging. > If so, then I don't think anything would break. > > Anyway, this was the patch that fixed the regression: > https://salsa.debian.org/ruby-team/rails/-/commit/fe3206768ed30b8eb6a83e74fc813e616d7d0db3 As far as I understand, you experienced a regression but it isn't related to the current CVEs, is it? Is there a depending library/app that you would recommend testing with? Cheers! Sylvain
