On 24/09/2020 23:14, Sylvain Beucler wrote: > Hi Security Team, > > On 15/07/2020 10:53, Moritz Muehlenhoff wrote: >> On Wed, Jul 15, 2020 at 09:03:01AM +0200, Sylvain Beucler wrote: >>> On 14/07/2020 22:29, Moritz Mühlenhoff wrote: >>>> On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote: >>>>> On 10/07/2020 10:28, Moritz Mühlenhoff wrote: >>>>>> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: >>>>>>> - buster update >>>>>>> >>>>>>> I now "up-ported" my stretch work at: >>>>>>> https://www.beuc.net/tmp/debian-lts/rails-buster/ >>>>>>> + added the redis side of CVE-2020-8165 >>>>>> >>>>>> What do you mean with up-ported? Applying a patch made for an older >>>>>> release >>>>>> to a more recent release will miss all code which wasn't present in >>>>>> the older suite. >>>>> >>>>> To phrase it more precisely, I went back to the upstream patches for >>>>> 5.2, applied them and unit-tested them. >>>>> >>>>> (debdiff.txt from the above URL attached for reference.) >>>> >>>> Thanks, please upload! (Target distro needs to be buster-security instead >>>> of >>>> UNRELEASED ofc) >>> >>> I can upload, though as I mentioned at [1] I prepared this as a basis >>> for the rails maintainers. It doesn't fix CVE-2020-8162/66/67 and didn't >>> go through the same level of testing than the jessie/stretch updates. >>> >>> [1] https://lists.debian.org/debian-lts/2020/07/msg00065.html >> >> Ah, I forgot about the missing CVEs, I'll add them myself on top of your >> patch >> (will test them with a Puppet setup, which makes plenty of use of Rails) >> >> So, no need to uploading :-) > > I see that today's buster security update includes none of what I had > prepared. > > To improve future collaboration, what there something you wanted to see > done differently?
Ping? Cheers! Sylvain
