Hi Security Team, On 15/07/2020 10:53, Moritz Muehlenhoff wrote: > On Wed, Jul 15, 2020 at 09:03:01AM +0200, Sylvain Beucler wrote: >> On 14/07/2020 22:29, Moritz Mühlenhoff wrote: >>> On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote: >>>> On 10/07/2020 10:28, Moritz Mühlenhoff wrote: >>>>> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: >>>>>> - buster update >>>>>> >>>>>> I now "up-ported" my stretch work at: >>>>>> https://www.beuc.net/tmp/debian-lts/rails-buster/ >>>>>> + added the redis side of CVE-2020-8165 >>>>> >>>>> What do you mean with up-ported? Applying a patch made for an older >>>>> release >>>>> to a more recent release will miss all code which wasn't present in >>>>> the older suite. >>>> >>>> To phrase it more precisely, I went back to the upstream patches for >>>> 5.2, applied them and unit-tested them. >>>> >>>> (debdiff.txt from the above URL attached for reference.) >>> >>> Thanks, please upload! (Target distro needs to be buster-security instead of >>> UNRELEASED ofc) >> >> I can upload, though as I mentioned at [1] I prepared this as a basis >> for the rails maintainers. It doesn't fix CVE-2020-8162/66/67 and didn't >> go through the same level of testing than the jessie/stretch updates. >> >> [1] https://lists.debian.org/debian-lts/2020/07/msg00065.html > > Ah, I forgot about the missing CVEs, I'll add them myself on top of your patch > (will test them with a Puppet setup, which makes plenty of use of Rails) > > So, no need to uploading :-)
I see that today's buster security update includes none of what I had prepared. To improve future collaboration, what there something you wanted to see done differently? Cheers! Sylvain
