Hi, On 30/06/2020 22:38, Salvatore Bonaccorso wrote: > On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote: >> On 25/06/2020 18:20, Sylvain Beucler wrote: >>> On 22/06/2020 13:23, Sylvain Beucler wrote: >>>> On 22/06/2020 11:56, Utkarsh Gupta wrote: >>>>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <b...@beuc.net> wrote: >>>>>> Hmm, are you the only active maintainer for rails? >>>>> >>>>> There are 3 maintainers. CC'ed rails@p.d.o. >>>>> However, since you have already worked on preparing the fix for >>>>> Jessie, it's much easier on your part to do it for Stretch and Buster. >>>>> But that's volunteer work :) >>>>> >>>>> If you don't want to work, don't :) >>>> >>>> For rails@d.p.o's info, I explained at: >>>> https://lists.debian.org/debian-lts/2020/06/msg00063.html >>>> that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at: >>>> https://www.beuc.net/tmp/debian-lts/rails/ >>>> >>>> However the buster version (5.2.2.1) is affected by a different set of >>>> vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently >>>> the update causes new issues. >>>> >>>> That's why I think it'd make more sense for the rails maintainers to >>>> backport the latest bullseye update. >>>> >>>> Let me know what you plan to do. >>>> >>>>>> Which security update broke what, exactly? >>>>> >>>>> The latest security update from 5.2.4.2 to 5.2.4.3, which contained >>>>> fixes for CVE-2020-816{2,4,5,6,7}. >>>>> JavaScript bundle generation for Activestorage didn't work w/o that >>>>> patch. We had to switch to node-babel7 for that. >>>> >>>> I updated >>>> https://wiki.debian.org/LTS/TestSuites/rails >>>> accordingly. >>>> >>>> The stretch updates passes this new test. >>>> >>>> (Though in this particular case it may have just been due to node-babel >>>> changes in unstable since March, e.g. babel7 is pulled through >>>> node-regenerator-transform.) >>> >>> Status update: jessie and stretch are affected by new important >>> CVE-2020-8163. >>> buster and above not affected. >>> Currently waiting for upstream's feedback on a second regression, then >>> I'll prepare an update for jessie & stretch. >> >> https://www.beuc.net/tmp/debian-lts/rails/ is updated. >> >> Upstream showed little care for 4.x and I don't expect further feedback, >> so I went ahead and backported: >> https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f >> to fix the regression, including tests. >> >> Rationale at: >> https://github.com/rails/rails/issues/39301#issuecomment-648885623 >> >> Note: redmine/stretch (< 3.4) was not affected by the regression. > > Attaching the debdiff for reference. The changes looks good to me, but > I defintively would like to see a second pair of eyes here from the > rails maintainers, in particular for CVE-2020-8163, Utkarsh? > > There is no lost work, but if we want to release a rails update for > stretch (before it moves to LTS), we should try to get as well a rails > update beeing prepared for buster, Utkarsh you indicated lack of time > currently, any one other up from the rails maintainers?
@security team: forwarding praveen's message below @others: including context for that message above It seems the perception of what is and isn't supported varies. On 06/07/2020 09:01, Pirate Praveen wrote: > Hi, > > My main motivation for maintaining rails is for gitlab. Since gitlab is > not in stable, I don't usually do stable updates of rails (I think > Utkarsh does it usually). I provide rails updates via buster-backports > or fasttrack.debian.net. I think redmine is also supported via > buster-backports only. open-build-system and debci are other rails apps > and may be their uploaders are interested in buster updates. > > Thanks > Praveen, one of the uploaders of rails. > > Note: debian-ruby@l.d.o is a better place to discuss these issues. > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity.
