Bug#686867: jruby: CVE-2011-4838
Moritz Muehlenhoff
jmm at inutil.org
Thu Sep 20 19:51:23 UTC 2012
On Thu, Sep 20, 2012 at 12:10:30PM -0700, tony mancill wrote:
> On 09/20/2012 07:05 AM, Hideki Yamane wrote:
> > It's my mistake that using static version for symlink... sorry for the mess.
> > And a bit confusion for versioning, so prepared fix as below.
> > If it seems to be okay, I'll upload to unstable.
>
> Hello Hideki,
>
> Thank you for the quick response. The 2nd patch you supplied looks good
> to me.
>
> Also, I determined that I can build the jruby package successfully
> against the nailgun package in wheezy, which I think might be preferable
> anyway since this is a security bug that is being targeted for wheezy
> (right?). The dependency on nailgun is a build-dep only, meaning that
> it doesn't appear in the jruby Depends, and jruby is an architecture
> "any" package.
>
> Moritz, for this bug with respect to wheezy, would you prefer that an
> updated package be uploaded to unstable + an unblock request, or would
> this be a case for targeting testing-security?
testing-security doesn't work currently (only testing-proposed-updates works),
so getting this via unstable (urgency=medium) and an unblock request is the
way to go forward.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list