Hi all, On 18-04-03 11:53:08, Salvatore Bonaccorso wrote: > On Sun, Mar 25, 2018 at 07:10:40PM +0200, Georg Faerber wrote: > > On 18-03-22 17:23:48, Moritz Muehlenhoff wrote: > > > On Thu, Mar 22, 2018 at 05:21:15PM +0100, Georg Faerber wrote: > > > > I would like to fix CVE-2018-8048, which is currently present in > > > > ruby-loofah 2.0.3-2 in stretch. Do you prefer an "straight" upload > > > > done by you, or should this be instead an upload via stretch-pu? > > > > > > > > In any case, I'll prepare a patch. > > > > > > Thanks. I think we should fix this via security.debian.org > > > > Please find the debdiff below. Changes pushed to git [1] in branch > > stretch/backports. > > > > Please note: The first iteration of the patch didn't included DEP3 > > headers. Also, I didn't added the new test case. After review of the > > Ruby team, I've changed this. I've removed blank lines included in the > > upstream commit to keep the delta as small as possible. > > The debdiff looks good per se.
Great! > Regarding stripping the comments and empty lines, that would not have > been a requirement. If it helps future backports just keep them, if > the comments are descriptive and help one can keep those as well. I would leave it as is. > If you were able to test sufficiently ruby-loofah with the fix in > production please do upload (If I see it correctly you will need a > sponsored upload). Make sure to have the upload built with -sa since > it's the first ruby-loofah upload for stretch security-master is > seeing. I'm not using it in production, but all tests pass, so I think we're good to go. @Ruby team: If you agree, could you please do the upload? Thanks, cheers, Georg
signature.asc
Description: Digital signature
