Hi, On 25/06/2020 18:20, Sylvain Beucler wrote: > On 22/06/2020 13:23, Sylvain Beucler wrote: >> On 22/06/2020 11:56, Utkarsh Gupta wrote: >>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <b...@beuc.net> wrote: >>>> Hmm, are you the only active maintainer for rails? >>> >>> There are 3 maintainers. CC'ed rails@p.d.o. >>> However, since you have already worked on preparing the fix for >>> Jessie, it's much easier on your part to do it for Stretch and Buster. >>> But that's volunteer work :) >>> >>> If you don't want to work, don't :) >> >> For rails@d.p.o's info, I explained at: >> https://lists.debian.org/debian-lts/2020/06/msg00063.html >> that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at: >> https://www.beuc.net/tmp/debian-lts/rails/ >> >> However the buster version (5.2.2.1) is affected by a different set of >> vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently >> the update causes new issues. >> >> That's why I think it'd make more sense for the rails maintainers to >> backport the latest bullseye update. >> >> Let me know what you plan to do. >> >>>> Which security update broke what, exactly? >>> >>> The latest security update from 5.2.4.2 to 5.2.4.3, which contained >>> fixes for CVE-2020-816{2,4,5,6,7}. >>> JavaScript bundle generation for Activestorage didn't work w/o that >>> patch. We had to switch to node-babel7 for that. >> >> I updated >> https://wiki.debian.org/LTS/TestSuites/rails >> accordingly. >> >> The stretch updates passes this new test. >> >> (Though in this particular case it may have just been due to node-babel >> changes in unstable since March, e.g. babel7 is pulled through >> node-regenerator-transform.) > > Status update: jessie and stretch are affected by new important > CVE-2020-8163. > buster and above not affected. > Currently waiting for upstream's feedback on a second regression, then > I'll prepare an update for jessie & stretch.
https://www.beuc.net/tmp/debian-lts/rails/ is updated. Upstream showed little care for 4.x and I don't expect further feedback, so I went ahead and backported: https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f to fix the regression, including tests. Rationale at: https://github.com/rails/rails/issues/39301#issuecomment-648885623 Note: redmine/stretch (< 3.4) was not affected by the regression. Cheers! Sylvain
