Hi, On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: > Hi, > > On 06/07/2020 09:55, Pirate Praveen wrote: > > On 2020, ജൂലൈ 6 1:09:09 PM IST, Sylvain Beucler <b...@beuc.net> wrote: > >> On 30/06/2020 22:38, Salvatore Bonaccorso wrote: > >>> On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote: > >>>> On 25/06/2020 18:20, Sylvain Beucler wrote: > >>>>> On 22/06/2020 13:23, Sylvain Beucler wrote: > >>>>>> On 22/06/2020 11:56, Utkarsh Gupta wrote: > >>>>>>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <b...@beuc.net> wrote: > >>>>>>>> Hmm, are you the only active maintainer for rails? > >>>>>>> > >>>>>>> There are 3 maintainers. CC'ed rails@p.d.o. > >>>>>>> However, since you have already worked on preparing the fix for > >>>>>>> Jessie, it's much easier on your part to do it for Stretch and Buster. > >>>>>>> But that's volunteer work :) > >>>>>>> > >>>>>>> If you don't want to work, don't :) > >>>>>> > >>>>>> For rails@d.p.o's info, I explained at: > >>>>>> https://lists.debian.org/debian-lts/2020/06/msg00063.html > >>>>>> that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at: > >>>>>> https://www.beuc.net/tmp/debian-lts/rails/ > >>>>>> > >>>>>> However the buster version (5.2.2.1) is affected by a different set of > >>>>>> vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently > >>>>>> the update causes new issues. > >>>>>> > >>>>>> That's why I think it'd make more sense for the rails maintainers to > >>>>>> backport the latest bullseye update. > >>>>>> > >>>>>> Let me know what you plan to do. > >>>>>> > >>>>>>>> Which security update broke what, exactly? > >>>>>>> > >>>>>>> The latest security update from 5.2.4.2 to 5.2.4.3, which contained > >>>>>>> fixes for CVE-2020-816{2,4,5,6,7}. > >>>>>>> JavaScript bundle generation for Activestorage didn't work w/o that > >>>>>>> patch. We had to switch to node-babel7 for that. > >>>>>> > >>>>>> I updated > >>>>>> https://wiki.debian.org/LTS/TestSuites/rails > >>>>>> accordingly. > >>>>>> > >>>>>> The stretch updates passes this new test. > >>>>>> > >>>>>> (Though in this particular case it may have just been due to node-babel > >>>>>> changes in unstable since March, e.g. babel7 is pulled through > >>>>>> node-regenerator-transform.) > >>>>> > >>>>> Status update: jessie and stretch are affected by new important > >>>>> CVE-2020-8163. > >>>>> buster and above not affected. > >>>>> Currently waiting for upstream's feedback on a second regression, then > >>>>> I'll prepare an update for jessie & stretch. > >>>> > >>>> https://www.beuc.net/tmp/debian-lts/rails/ is updated. > >>>> > >>>> Upstream showed little care for 4.x and I don't expect further feedback, > >>>> so I went ahead and backported: > >>>> https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f > >>>> to fix the regression, including tests. > >>>> > >>>> Rationale at: > >>>> https://github.com/rails/rails/issues/39301#issuecomment-648885623 > >>>> > >>>> Note: redmine/stretch (< 3.4) was not affected by the regression. > >>> > >>> Attaching the debdiff for reference. The changes looks good to me, but > >>> I defintively would like to see a second pair of eyes here from the > >>> rails maintainers, in particular for CVE-2020-8163, Utkarsh? > >>> > >>> There is no lost work, but if we want to release a rails update for > >>> stretch (before it moves to LTS), we should try to get as well a rails > >>> update beeing prepared for buster, Utkarsh you indicated lack of time > >>> currently, any one other up from the rails maintainers? > > > Back to the initial topic, the current tasks underway are: > > > - stretch update review > > The update is ready: > https://www.beuc.net/tmp/debian-lts/rails/ > > It includes an additional regression fix for CVE-2020-8163. > https://security-tracker.debian.org/tracker/CVE-2020-8163 > > I requested upstream feedback but given that 4.x is EOL so far no luck. > https://github.com/rails/rails/issues/39301#issuecomment-648885623 > https://github.com/rails/rails/pull/39806 > > Hence we called for a review from a Ruby/Rails-savvy DD. > (stretch moved from oldstable->LTS meanwhile, but the review would still > be appreciated) > Anyone up? > > > - buster update > > I now "up-ported" my stretch work at: > https://www.beuc.net/tmp/debian-lts/rails-buster/ > + added the redis side of CVE-2020-8165 > > I believe I would do a disservice to the community if I did a one-time > update masking possible problems with long-term maintenance, so I'm > leaving the other CVEs to fix > (cf. https://security-tracker.debian.org/tracker/source-package/rails)
I looked briefly at both updates, and the new patches included in them look sane and reasonable.
signature.asc
Description: PGP signature
