On 24/09/2020 23:14, Sylvain Beucler wrote:
> Hi Security Team,
>
> On 15/07/2020 10:53, Moritz Muehlenhoff wrote:
>> On Wed, Jul 15, 2020 at 09:03:01AM +0200, Sylvain Beucler wrote:
>>> On 14/07/2020 22:29, Moritz Mühlenhoff wrote:
On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wr
Hi Security Team,
On 15/07/2020 10:53, Moritz Muehlenhoff wrote:
> On Wed, Jul 15, 2020 at 09:03:01AM +0200, Sylvain Beucler wrote:
>> On 14/07/2020 22:29, Moritz Mühlenhoff wrote:
>>> On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote:
On 10/07/2020 10:28, Moritz Mühlenhoff wrot
Hi Sylvain,
On Mo 31 Aug 2020 12:34:07 CEST, Sylvain Beucler wrote:
Hi all,
On 03/08/2020 16:43, Utkarsh Gupta wrote:
On Mon, Aug 3, 2020 at 6:02 PM Sylvain Beucler wrote:
This version is now impacted by new security issues, such as
CVE-2020-8163, so I would recommend upgrading anyway. Th
Hi all,
On 03/08/2020 16:43, Utkarsh Gupta wrote:
> On Mon, Aug 3, 2020 at 6:02 PM Sylvain Beucler wrote:
>> This version is now impacted by new security issues, such as
>> CVE-2020-8163, so I would recommend upgrading anyway. There is no place
>> to upload a new version (in particular, not in E
Hi Sylvain,
On Mon, Aug 3, 2020 at 6:02 PM Sylvain Beucler wrote:
> This version is now impacted by new security issues, such as
> CVE-2020-8163, so I would recommend upgrading anyway. There is no place
> to upload a new version (in particular, not in ELTS where neither rails
> nor redmine are s
Hi,
On 03/08/2020 13:52, Utkarsh Gupta wrote:
> Whilst I am totally fine by this suggestion, but still asking..
> Would it make sense to fix this, since this upload was made just
> around the time Jessie was EOL'ed.
> Of course, I'd want people to upgrade, for sure, but in case they
> can't, I don
Hi Sylvain,
On Mon, Aug 3, 2020 at 5:15 PM Sylvain Beucler wrote:
> Then I realized that this is about Debian Jessie which reached
> end-of-life a month ago, so the solution is to upgrade to Debian 9.
Whilst I am totally fine by this suggestion, but still asking..
Would it make sense to fix this
Hi,
On 03/08/2020 10:38, Utkarsh Gupta wrote:
> On 8/3/20 1:56 PM, Utkarsh Gupta wrote:
>> On Tue, 07 Jul 2020 09:36:20 +0200 "s.jaekel" wrote:
>>> Package: ruby-rails
>>> Version: 2:4.1.8-1+deb8u7
>>> Severity: important
>>> Tags: upstream
>>>
>>> I updated the ruby-rails packages last week.
>>>
On 8/3/20 1:56 PM, Utkarsh Gupta wrote:
> On Tue, 07 Jul 2020 09:36:20 +0200 "s.jaekel" wrote:
>> Package: ruby-rails
>> Version: 2:4.1.8-1+deb8u7
>> Severity: important
>> Tags: upstream
>>
>> I updated the ruby-rails packages last week.
>> Since then i can use the also installed redmine (3.0~201
Hi
On Tue, 07 Jul 2020 09:36:20 +0200 "s.jaekel" wrote:
> Package: ruby-rails
> Version: 2:4.1.8-1+deb8u7
> Severity: important
> Tags: upstream
>
> I updated the ruby-rails packages last week.
> Since then i can use the also installed redmine (3.0~20140825-8~deb8u4)
> no longer link tickets tog
Hi Antonio,
On 08/07/2020 18:32, terce...@debian.org wrote:
> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
>> Back to the initial topic, the current tasks underway are:
>>
>>
>> - stretch update review
>>
>> The update is ready:
>> https://www.beuc.net/tmp/debian-lts/rails/
>>
On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote:
> Hi,
>
> On 10/07/2020 10:28, Moritz Mühlenhoff wrote:
> > On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
> >> Hi,
> >>
> >> - buster update
> >>
> >> I now "up-ported" my stretch work at:
> >> https://www.beuc.net
Hi,
On 10/07/2020 10:28, Moritz Mühlenhoff wrote:
> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
>> Hi,
>>
>> - buster update
>>
>> I now "up-ported" my stretch work at:
>> https://www.beuc.net/tmp/debian-lts/rails-buster/
>> + added the redis side of CVE-2020-8165
>
> What do
On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
> Hi,
>
> - buster update
>
> I now "up-ported" my stretch work at:
> https://www.beuc.net/tmp/debian-lts/rails-buster/
> + added the redis side of CVE-2020-8165
What do you mean with up-ported? Applying a patch made for an older r
t;
> >>>>> Status update: jessie and stretch are affected by new important
> >>>>> CVE-2020-8163.
> >>>>> buster and above not affected.
> >>>>> Currently waiting for upstream's feedback on a second regression, then
> &g
>>> Status update: jessie and stretch are affected by new important
>>>>> CVE-2020-8163.
>>>>> buster and above not affected.
>>>>> Currently waiting for upstream's feedback on a second regression, then
>>>>> I'll prepare an updat
On Mon, 2020-07-06 at 13:25 +0530, Pirate Praveen wrote:
> Just like gitlab was removed from stable, rails can also get removed
> from stable if no one steps up to maintain it. I'm happy with rails
> in just unstable for my use cases. A package can be supported only
> when people are willing to sup
regression, then
>>>> I'll prepare an update for jessie & stretch.
>>>
>>> https://www.beuc.net/tmp/debian-lts/rails/ is updated.
>>>
>>> Upstream showed little care for 4.x and I don't expect further feedback,
>>> so I went
am's feedback on a second regression, then
>>> I'll prepare an update for jessie & stretch.
>>
>> https://www.beuc.net/tmp/debian-lts/rails/ is updated.
>>
>> Upstream showed little care for 4.x and I don't expect further feedback,
>>
Hi,
My main motivation for maintaining rails is for gitlab. Since gitlab is not in
stable, I don't usually do stable updates of rails (I think Utkarsh does it
usually). I provide rails updates via buster-backports or fasttrack.debian.net.
I think redmine is also supported via buster-backports o
ts/rails/ is updated.
>
> Upstream showed little care for 4.x and I don't expect further feedback,
> so I went ahead and backported:
> https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f
> to fix the regression, including tests.
>
> Rationale at
Hi,
On 25/06/2020 18:20, Sylvain Beucler wrote:
> On 22/06/2020 13:23, Sylvain Beucler wrote:
>> On 22/06/2020 11:56, Utkarsh Gupta wrote:
>>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler wrote:
Hmm, are you the only active maintainer for rails?
>>>
>>> There are 3 maintainers. CC'ed rail
Hi,
On 22/06/2020 13:23, Sylvain Beucler wrote:
> On 22/06/2020 11:56, Utkarsh Gupta wrote:
>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler wrote:
>>> Hmm, are you the only active maintainer for rails?
>>
>> There are 3 maintainers. CC'ed rails@p.d.o.
>> However, since you have already worked
Hi,
On 22/06/2020 11:56, Utkarsh Gupta wrote:
> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler wrote:
>> Hmm, are you the only active maintainer for rails?
>
> There are 3 maintainers. CC'ed rails@p.d.o.
> However, since you have already worked on preparing the fix for
> Jessie, it's much easie
Hi,
On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler wrote:
> Hmm, are you the only active maintainer for rails?
There are 3 maintainers. CC'ed rails@p.d.o.
However, since you have already worked on preparing the fix for
Jessie, it's much easier on your part to do it for Stretch and Buster.
But t
Hi,
On 19/06/2020 20:18, Utkarsh Gupta wrote:
> On Fri, Jun 19, 2020 at 11:28 PM Sylvain Beucler wrote:
>> Here's the prepared stretch update:
>> https://www.beuc.net/tmp/debian-lts/rails/
>> https://www.beuc.net/tmp/debian-lts/rails/debdiff.txt
>>
>> Testing was documented at:
>> https://wiki.de
Hi Security Team, Utkarsh,
On 19/06/2020 11:40, Salvatore Bonaccorso wrote:
> On Wed, Jun 17, 2020 at 11:09:41PM +0200, Sylvain Beucler wrote:
>> I'm currently testing an update for jessie and I can prepare an update
>> for stretch (which appears to be similar).
>> (not sure what's the plan for bu
On Fri, Jun 19, 2020 at 10:46 PM Utkarsh Gupta wrote:
> Just letting you know with my rails' maintainer hat on..
> I faced a regression where I think, activestorage (one of rails' binary),
> broke and in turn, it broke a bunch of other gems as well.
>
> Please ensure that the fix of these CVE(s) w
Hi all,
On Fri, Jun 19, 2020 at 3:10 PM Salvatore Bonaccorso wrote:
> > I'm currently testing an update for jessie and I can prepare an update
> > for stretch (which appears to be similar).
> > (not sure what's the plan for buster)
> > Would you be interested?
>
> Yes if you are interested in con
Hi Sylvain,
On Wed, Jun 17, 2020 at 11:09:41PM +0200, Sylvain Beucler wrote:
> Hi Security Team,
>
> I see that 'rails' is present in dsa-needed.txt.
Right, current open rails issues would warrant a DSA.
> I'm currently testing an update for jessie and I can prepare an update
> for stretch (whi
Hi Security Team,
I see that 'rails' is present in dsa-needed.txt.
I'm currently testing an update for jessie and I can prepare an update
for stretch (which appears to be similar).
(not sure what's the plan for buster)
Would you be interested?
Note: since there's 2:4.2.7.1-1+deb9u2 in stretch-pr
31 matches
Mail list logo
