[Git][security-tracker-team/security-tracker][master] 3 commits: Claim ruby-actionpack-page-caching and ruby-kaminari

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
16d3eca9 by Markus Koschany at 2021-06-01T00:56:43+02:00
Claim ruby-actionpack-page-caching and ruby-kaminari

- - - - -
d38970ed by Markus Koschany at 2021-06-06T17:56:31+02:00
Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker

- - - - -
e671417f by Markus Koschany at 2021-06-06T17:57:47+02:00
Reserve DLA-2678-1 for ruby-nokogiri

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[06 Jun 2021] DLA-2678-1 ruby-nokogiri - security update
+	{CVE-2020-26247}
+	[stretch] - ruby-nokogiri 1.6.8.1-1+deb9u1
 [05 Jun 2021] DLA-2677-1 libwebp - security update
 	{CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331}
 	[stretch] - libwebp 0.5.2-1+deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -65,7 +65,7 @@ prosody (Anton Gladky)
   NOTE: 20210519: at least the 10MB limit mentioned in CVE-2021-32918 is present 
   NOTE: 20210530: WIP
 --
-ruby-actionpack-page-caching
+ruby-actionpack-page-caching (Markus Koschany)
   NOTE: 20200819: Upstream's patch on does not apply due to subsequent
   NOTE: 20200819: refactoring. However, a quick look at the private
   NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
@@ -80,7 +80,7 @@ ruby-doorkeeper
   NOTE: 20201009: the first place or not. (utkarsh)
   NOTE: 20201215: includes plaintext secret is not part of source code for stretch but there may be other ways to trigger this (ola)
 --
-ruby-kaminari
+ruby-kaminari (Markus Koschany)
   NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
   NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
   NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
@@ -94,11 +94,6 @@ ruby-kaminari
 ruby-kramdown
   NOTE: 20210412: Probably needs two commits (see the one linked in the comment of d6a1cbcb2c. (lamby)
 --
-ruby-nokogiri (Markus Koschany)
-  NOTE: 20210403: CVE-2020-26247: Java-level API not included in stretch but CVE also affects C/Ruby-level APIs;
-  NOTE: 20210403: check if default change (trust -> don't trust external schemas) possibly breaks compatibility (Beuc)
-  NOTE: 20210601: Very similar to the Jessie fix but the r-deps are different and require more testing.
---
 rxvt (Utkarsh)
 --
 salt



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0b7c442c05cea3ea50f736042cbe86e8de408ee8...e671417fd843dc0ac7f3894ce3e58cc420c5836a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0b7c442c05cea3ea50f736042cbe86e8de408ee8...e671417fd843dc0ac7f3894ce3e58cc420c5836a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210606/70f4b198/attachment-0001.htm>