[DRE-maint] Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Thijs Kinkhorst
thijs at debian.org
Wed Aug 28 08:39:20 UTC 2013
Hi Satoru,
On Thu, March 7, 2013 13:17, Satoru KURASHIKI wrote:
> On Mon, Feb 11, 2013 at 1:24 PM, Satoru KURASHIKI <lurdan at gmail.com>
> wrote:
>> I've contacted Youhei SASAKI (maintainer of ruby-rack, successor of
>> librack-ruby),
>> and acknowledged about preparing NMU for this bug.
>>
>> Please audit this patch, after that I will prepare NMU for squeeze.
>> (and after that t-p-u, unstable, ...)
>
> I've created a NMU debdiff for stable, which includes these fixes:
> #698440 (CVE-2013-0184)
> #700226 (CVE-2013-0263)
>
> These are already applied in unstable/testing.
>
> Please consider to update stable version of librack-ruby with
> attached debdiff to close those CVE issues.
I'm terribly sorry that it took so long to respond to your kind offer to
help with the stable security update. Nonetheless we should still be
processing it.
I'm wondering about the three other issues we have open in the tracker.
https://security-tracker.debian.org/tracker/CVE-2013-0183
https://security-tracker.debian.org/tracker/CVE-2012-6109
https://security-tracker.debian.org/tracker/CVE-2011-5036
Is there a reason they aren't included in the update, or is it an oversight?
About the changelog entry, please change "stable-security" to
"squeeze-security", and the version number should be "1.1.0-4+squeeze1".
Also, you can use "closes:" instead of "cf." so the BTS will automatically
record this fixed version aswell.
Cheers,
Thijs
More information about the Pkg-ruby-extras-maintainers
mailing list