[DRE-maint] Debian LTS Security update of ruby-rest-client (advice needed)

[Antonio Terceiro]

(fixed the subject to mention the right package)

On Fri, May 20, 2016 at 01:02:11PM +0200, Ola Lundqvist wrote:
> Hi ruby-rest-client maintainer(s) and Debian LTS team
> 
> This is my second contribution to Debian LTS and this time I need some
> advice. This fix require a dependency on ruby-http-cookie which is not in
> wheezy.
> 
> I have prepared an update of the ruby-rest-client package to correct the
> problem described in
> https://security-tracker.debian.org/tracker/CVE-2015-1820
> (I have not fixed CVE-2015-3448 as it was marked as "no DSA" in the
> security tracker).
> 
> The change was simple as the fix was in jessie 1.6.7-6 with a prepared
> patch. So I have simply copied the patch file and series file to the
> debian/patch directory, changed the changelog and control file and rebuilt.
> 
> The prepared package is here:
> http://apt.inguza.net/wheezy-security/ruby-rest-client
> The debdiff is here:
> http://apt.inguza.net/wheezy-security/ruby-rest-client/debdiff-against-previous-version-in-wheezy.patch
> 
> I see two options:
> 1) I upload this fix above and we introduce the ruby-http-cookie (its
> dependencies are already there, I have tested with the jessie version of
> ruby-http-cookie on wheezy, so it is just to add this package too)
> 2) We tell that the fix is not important enough.
> I do not see the point in trying to change the correction in some other way
> for wheezy.

Can you introduce new packages in LTS? If you can, then just doing that
and using the patch that was applied in jessie is probably good enough.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160520/d3d1d7b4/attachment.sig>