[Git][security-tracker-team/security-tracker][master] Reserve DLA-2763-1 for ruby-kaminari

Markus Koschany (@apo) apo at debian.org
Wed Sep 22 14:41:44 BST 2021 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2b6ccfd4 by Markus Koschany at 2021-09-22T15:41:36+02:00
Reserve DLA-2763-1 for ruby-kaminari

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[22 Sep 2021] DLA-2763-1 ruby-kaminari - security update
+	{CVE-2020-11082}
+	[stretch] - ruby-kaminari 0.17.0-3+deb9u1
 [22 Sep 2021] DLA-2762-1 grilo - security update
 	{CVE-2021-39365}
 	[stretch] - grilo 0.3.2-2+deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -78,20 +78,6 @@ python-babel
 qtbase-opensource-src (Utkarsh)
   NOTE: 20210914: needs further checking for vulnerability. (utkarsh)
 --
-ruby-kaminari
-  NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
-  NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
-  NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
-  NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
-  NOTE: 20200819: file has been refactored a few times). (lamby)
-  NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
-  NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
-  NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
-  NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
-  NOTE: 20210719: https://people.debian.org/~apo/lts/ruby-kaminari/CVE-2020-11082.patch
-  NOTE: 20210719: I believe the fix is just adding and extending the blacklist for ruby-kaminari.
-  NOTE: 20210719: Will discuss this with Utkarsh (maintainer) shortly.
---
 ruby2.3
   NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh)
   NOTE: 20210816: wip, backporting patches; a bit hard. (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b6ccfd406574e01939d3b3c274899753224bc1c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b6ccfd406574e01939d3b3c274899753224bc1c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210922/c940e41e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list