[DRE-maint] Bug#789311: Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()

Youhei SASAKI uwabami at gfd-dennou.org
Thu Jul 30 09:36:56 UTC 2015


Hi,

Thanks your review.

On Thu, 30 Jul 2015 04:49:12 +0900,
Salvatore Bonaccorso <carnil at debian.org> wrote:
> >
> > # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we
> > # can't build package without "DH_RUBY_IGNORE_TESTS=all"...
>
> It builds for me here in pbuilder. Were exactly is the problem
> located?

In "lib/rack/response.rb": Upstream Issue: #631
  - https://github.com/rack/rack/issues/631

I attached 0002-Fix-unreported-FTBFS.patch.
This is aleady applied in unstable.

> "patchwise" both looks okay but I have some small comments, first the
> one for wheezy-security:
- snip-
> Use 1.4.1-2.1+deb7u1 as version, wheezy-security as distribution and
> urgency=high.
- snip-
> Same here. use 1.5.2-3+deb8u1 as version, target jessie-security and
> use urgency=high.
- snip -
> Could you make the above changes?

Thanks. Update package version number and changelogs.  debdiff attached.

> Have the resulting packages been tested in wheezy and jessie in some
> environment using ruby-rack?

Yes. I checked both with redmine in jessie, wheezy. It seems fine.

Best Wishes,
Youhei

---
Youhei SASAKI <uwabami at gfd-dennou.org>
              <uwabami at debian.or.jp>
GPG fingerprint:
  4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-rack_wheezy.debdiff
Type: application/octet-stream
Size: 4773 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20150730/0a61ca8e/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby-rack_jessie.debdiff
Type: application/octet-stream
Size: 4413 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20150730/0a61ca8e/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Fix-unreported-FTBFS.patch
Type: application/octet-stream
Size: 496 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20150730/0a61ca8e/attachment-0005.obj>


More information about the Pkg-ruby-extras-maintainers mailing list