[DRE-maint] Debian LTS Security update of ruby-mail (advice needed)

Lucas Kanashiro kanashiro.duarte at gmail.com
Fri May 20 11:50:40 UTC 2016 

Hi Ola,

I had a look in this package a couple of weeks ago and I found the same
problem. I discussed it with Antonio and I think that we can skip this
package instead of add a new dependency in wheezy. We guess that implement
a cookie_jar "by hand" is not a good idea :)

Cheers,

Em sex, 20 de mai de 2016 08:02, Ola Lundqvist <ola at inguza.com> escreveu:

> Hi ruby-rest-client maintainer(s) and Debian LTS team
>
> This is my second contribution to Debian LTS and this time I need some
> advice. This fix require a dependency on ruby-http-cookie which is not in
> wheezy.
>
> I have prepared an update of the ruby-rest-client package to correct the
> problem described in
> https://security-tracker.debian.org/tracker/CVE-2015-1820
> (I have not fixed CVE-2015-3448 as it was marked as "no DSA" in the
> security tracker).
>
> The change was simple as the fix was in jessie 1.6.7-6 with a prepared
> patch. So I have simply copied the patch file and series file to the
> debian/patch directory, changed the changelog and control file and rebuilt.
>
> The prepared package is here:
> http://apt.inguza.net/wheezy-security/ruby-rest-client
> The debdiff is here:
>
> http://apt.inguza.net/wheezy-security/ruby-rest-client/debdiff-against-previous-version-in-wheezy.patch
>
> I see two options:
> 1) I upload this fix above and we introduce the ruby-http-cookie (its
> dependencies are already there, I have tested with the jessie version of
> ruby-http-cookie on wheezy, so it is just to add this package too)
> 2) We tell that the fix is not important enough.
> I do not see the point in trying to change the correction in some other
> way for wheezy.
>
> Thanks in advance.
>
> Best regards,
>
> // Ola
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  ola at inguza.com                    Folkebogatan 26            \
> |  opal at debian.org                   654 68 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160520/8887a1cf/attachment.html>

More information about the Pkg-ruby-extras-maintainers mailing list