Hi, On 22/06/2020 13:23, Sylvain Beucler wrote: > On 22/06/2020 11:56, Utkarsh Gupta wrote: >> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <b...@beuc.net> wrote: >>> Hmm, are you the only active maintainer for rails? >> >> There are 3 maintainers. CC'ed rails@p.d.o. >> However, since you have already worked on preparing the fix for >> Jessie, it's much easier on your part to do it for Stretch and Buster. >> But that's volunteer work :) >> >> If you don't want to work, don't :) > > For rails@d.p.o's info, I explained at: > https://lists.debian.org/debian-lts/2020/06/msg00063.html > that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at: > https://www.beuc.net/tmp/debian-lts/rails/ > > However the buster version (5.2.2.1) is affected by a different set of > vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently > the update causes new issues. > > That's why I think it'd make more sense for the rails maintainers to > backport the latest bullseye update. > > Let me know what you plan to do. > >>> Which security update broke what, exactly? >> >> The latest security update from 5.2.4.2 to 5.2.4.3, which contained >> fixes for CVE-2020-816{2,4,5,6,7}. >> JavaScript bundle generation for Activestorage didn't work w/o that >> patch. We had to switch to node-babel7 for that. > > I updated > https://wiki.debian.org/LTS/TestSuites/rails > accordingly. > > The stretch updates passes this new test. > > (Though in this particular case it may have just been due to node-babel > changes in unstable since March, e.g. babel7 is pulled through > node-regenerator-transform.)
Status update: jessie and stretch are affected by new important CVE-2020-8163. buster and above not affected. Currently waiting for upstream's feedback on a second regression, then I'll prepare an update for jessie & stretch. Cheers! Sylvain
