Hi, On 22/06/2020 11:56, Utkarsh Gupta wrote: > On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <b...@beuc.net> wrote: >> Hmm, are you the only active maintainer for rails? > > There are 3 maintainers. CC'ed rails@p.d.o. > However, since you have already worked on preparing the fix for > Jessie, it's much easier on your part to do it for Stretch and Buster. > But that's volunteer work :) > > If you don't want to work, don't :)
For rails@d.p.o's info, I explained at: https://lists.debian.org/debian-lts/2020/06/msg00063.html that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at: https://www.beuc.net/tmp/debian-lts/rails/ However the buster version (5.2.2.1) is affected by a different set of vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently the update causes new issues. That's why I think it'd make more sense for the rails maintainers to backport the latest bullseye update. Let me know what you plan to do. >> Which security update broke what, exactly? > > The latest security update from 5.2.4.2 to 5.2.4.3, which contained > fixes for CVE-2020-816{2,4,5,6,7}. > JavaScript bundle generation for Activestorage didn't work w/o that > patch. We had to switch to node-babel7 for that. I updated https://wiki.debian.org/LTS/TestSuites/rails accordingly. The stretch updates passes this new test. (Though in this particular case it may have just been due to node-babel changes in unstable since March, e.g. babel7 is pulled through node-regenerator-transform.) Cheers! Sylvain
