[DRE-maint] Debian LTS Security update of ruby-activerecord-3.2

Ola Lundqvist opal at debian.org
Fri May 27 08:58:11 UTC 2016 

Hi Guido

Regarding this question:

> Does it make sense to add this as an autopkgtest?


Well we could do that, but I do not think it is worth the effort for a
wheezy security update.
In stretch (rails package, where I got the patch from) and later there is
already a good unit test suite where this is tested. I'll leave it to the
package maintainer to decide whether it should be tested automatically.

Best regards

// Ola


On Fri, May 27, 2016 at 10:45 AM, Guido Günther <agx at sigxcpu.org> wrote:

> Hi Ola,
> On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote:
> > Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team
> >
> > This is my third package contribution to Debian LTS. I'm doing this as a
> > training exercise and this is why the maintainer have not been asked to
> > this for me.
> >
> > I have prepared an update of the ruby-activerecord-3.2 package with a fix
> > for
> > https://security-tracker.debian.org/tracker/CVE-2015-7577
> >
> > What i have done is to take the CVE-2015-7577.patch file from the rails
> > 2:4.1.8-1+deb8u2 package in jessie.
> > Two out of three chunks applied cleanly and the third one was simple to
> > copy-paste in place.
> >
> > I have also written a very simple test application from an example. It
> does
> > not test the specific security problem but at least show that there is no
>
> Does it make sense to add this as an autopkgtest?
>
> > obvious regression problem. If you know of an easy way to do more
> extended
> > testing of this update then please let me know (or run it yourself and
> let
> > me know the results). As the source is so similar between the rails
> package
> > and this I trust that the extra test introduced in rails will cover the
> > specific problem even though I have not run it specifically (it is part
> of
> > the whole rails suite and not trivial to extract parts of it).
> >
> > You can find the debdiff here:
> >
> http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff
>
> This looks good to me.
> Cheers,
>  -- Guido
>
>


-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal at debian.org                     Folkebogatan 26          \
|  ola at inguza.com                      654 68 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160527/a2cfba8c/attachment.html>

More information about the Pkg-ruby-extras-maintainers mailing list