Hi Antonio, On 08/07/2020 18:32, terce...@debian.org wrote: > On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: >> Back to the initial topic, the current tasks underway are: >> >> >> - stretch update review >> >> The update is ready: >> https://www.beuc.net/tmp/debian-lts/rails/ >> >> It includes an additional regression fix for CVE-2020-8163. >> https://security-tracker.debian.org/tracker/CVE-2020-8163 >> >> I requested upstream feedback but given that 4.x is EOL so far no luck. >> https://github.com/rails/rails/issues/39301#issuecomment-648885623 >> https://github.com/rails/rails/pull/39806 >> >> Hence we called for a review from a Ruby/Rails-savvy DD. >> (stretch moved from oldstable->LTS meanwhile, but the review would still >> be appreciated) >> Anyone up? >> >> >> - buster update >> >> I now "up-ported" my stretch work at: >> https://www.beuc.net/tmp/debian-lts/rails-buster/ >> + added the redis side of CVE-2020-8165 >> >> I believe I would do a disservice to the community if I did a one-time >> update masking possible problems with long-term maintenance, so I'm >> leaving the other CVEs to fix >> (cf. https://security-tracker.debian.org/tracker/source-package/rails) > > I looked briefly at both updates, and the new patches included in them > look sane and reasonable.
Thanks for your review! Also my regression fix for CVE-2020-8163 (4.x) was merged: https://github.com/rails/rails/commit/0ecaaf76d1b79cf2717cdac754e55b4114ad6599 Cheers! Sylvain
