On 3/27/25 6:47 PM, Daniel Leidert wrote:
Hi Praveen, I'm currently working on an LTS update for ruby-saml to fix the CVEs mentioned in #1100441 for Bullseye. For Sid, the issue could be fixed by an upload of version 1.18.0. Gitlab and ruby-omniauth-saml seem to be the only reverse-dependencies. The upgrade of ruby-saml would require to upload v2.2.3 of ruby-omniauth-saml as well. And that would also fix the same set of CVEs in ruby-omniauth-saml [1]. After that, I would like to prep a PU for ruby-saml in Bookworm. [1] https://github.com/omniauth/omniauth-saml/blob/master/CHANGELOG.md Are there any reasons against uploading these versions of ruby-saml and ruby-omniauth-saml? Do you have any objections to these plans? Regards, Daniel
Hi Daniel,I saw some mails where Utkarsh was discussing ruby-saml with security team (the rails thread for extended to rack and ruby-saml). So just check with Utkarsh first if he has started it already or not.
Thanks Praveen
OpenPGP_0x8F53E0193B294B75.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
