Hi, On 06/07/2020 09:55, Pirate Praveen wrote: > On 2020, ജൂലൈ 6 1:09:09 PM IST, Sylvain Beucler <b...@beuc.net> wrote: >> On 30/06/2020 22:38, Salvatore Bonaccorso wrote: >>> On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote: >>>> On 25/06/2020 18:20, Sylvain Beucler wrote: >>>>> On 22/06/2020 13:23, Sylvain Beucler wrote: >>>>>> On 22/06/2020 11:56, Utkarsh Gupta wrote: >>>>>>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <b...@beuc.net> wrote: >>>>>>>> Hmm, are you the only active maintainer for rails? >>>>>>> >>>>>>> There are 3 maintainers. CC'ed rails@p.d.o. >>>>>>> However, since you have already worked on preparing the fix for >>>>>>> Jessie, it's much easier on your part to do it for Stretch and Buster. >>>>>>> But that's volunteer work :) >>>>>>> >>>>>>> If you don't want to work, don't :) >>>>>> >>>>>> For rails@d.p.o's info, I explained at: >>>>>> https://lists.debian.org/debian-lts/2020/06/msg00063.html >>>>>> that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at: >>>>>> https://www.beuc.net/tmp/debian-lts/rails/ >>>>>> >>>>>> However the buster version (5.2.2.1) is affected by a different set of >>>>>> vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently >>>>>> the update causes new issues. >>>>>> >>>>>> That's why I think it'd make more sense for the rails maintainers to >>>>>> backport the latest bullseye update. >>>>>> >>>>>> Let me know what you plan to do. >>>>>> >>>>>>>> Which security update broke what, exactly? >>>>>>> >>>>>>> The latest security update from 5.2.4.2 to 5.2.4.3, which contained >>>>>>> fixes for CVE-2020-816{2,4,5,6,7}. >>>>>>> JavaScript bundle generation for Activestorage didn't work w/o that >>>>>>> patch. We had to switch to node-babel7 for that. >>>>>> >>>>>> I updated >>>>>> https://wiki.debian.org/LTS/TestSuites/rails >>>>>> accordingly. >>>>>> >>>>>> The stretch updates passes this new test. >>>>>> >>>>>> (Though in this particular case it may have just been due to node-babel >>>>>> changes in unstable since March, e.g. babel7 is pulled through >>>>>> node-regenerator-transform.) >>>>> >>>>> Status update: jessie and stretch are affected by new important >>>>> CVE-2020-8163. >>>>> buster and above not affected. >>>>> Currently waiting for upstream's feedback on a second regression, then >>>>> I'll prepare an update for jessie & stretch. >>>> >>>> https://www.beuc.net/tmp/debian-lts/rails/ is updated. >>>> >>>> Upstream showed little care for 4.x and I don't expect further feedback, >>>> so I went ahead and backported: >>>> https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f >>>> to fix the regression, including tests. >>>> >>>> Rationale at: >>>> https://github.com/rails/rails/issues/39301#issuecomment-648885623 >>>> >>>> Note: redmine/stretch (< 3.4) was not affected by the regression. >>> >>> Attaching the debdiff for reference. The changes looks good to me, but >>> I defintively would like to see a second pair of eyes here from the >>> rails maintainers, in particular for CVE-2020-8163, Utkarsh? >>> >>> There is no lost work, but if we want to release a rails update for >>> stretch (before it moves to LTS), we should try to get as well a rails >>> update beeing prepared for buster, Utkarsh you indicated lack of time >>> currently, any one other up from the rails maintainers?
Back to the initial topic, the current tasks underway are: - stretch update review The update is ready: https://www.beuc.net/tmp/debian-lts/rails/ It includes an additional regression fix for CVE-2020-8163. https://security-tracker.debian.org/tracker/CVE-2020-8163 I requested upstream feedback but given that 4.x is EOL so far no luck. https://github.com/rails/rails/issues/39301#issuecomment-648885623 https://github.com/rails/rails/pull/39806 Hence we called for a review from a Ruby/Rails-savvy DD. (stretch moved from oldstable->LTS meanwhile, but the review would still be appreciated) Anyone up? - buster update I now "up-ported" my stretch work at: https://www.beuc.net/tmp/debian-lts/rails-buster/ + added the redis side of CVE-2020-8165 I believe I would do a disservice to the community if I did a one-time update masking possible problems with long-term maintenance, so I'm leaving the other CVEs to fix (cf. https://security-tracker.debian.org/tracker/source-package/rails) Cheers! Sylvain Beucler Debian LTS Team
