[DRE-maint] Debian LTS Security update of ruby-mail (advice needed)
Ola Lundqvist
ola at inguza.com
Fri May 20 11:02:11 UTC 2016
Hi ruby-rest-client maintainer(s) and Debian LTS team
This is my second contribution to Debian LTS and this time I need some
advice. This fix require a dependency on ruby-http-cookie which is not in
wheezy.
I have prepared an update of the ruby-rest-client package to correct the
problem described in
https://security-tracker.debian.org/tracker/CVE-2015-1820
(I have not fixed CVE-2015-3448 as it was marked as "no DSA" in the
security tracker).
The change was simple as the fix was in jessie 1.6.7-6 with a prepared
patch. So I have simply copied the patch file and series file to the
debian/patch directory, changed the changelog and control file and rebuilt.
The prepared package is here:
http://apt.inguza.net/wheezy-security/ruby-rest-client
The debdiff is here:
http://apt.inguza.net/wheezy-security/ruby-rest-client/debdiff-against-previous-version-in-wheezy.patch
I see two options:
1) I upload this fix above and we introduce the ruby-http-cookie (its
dependencies are already there, I have tested with the jessie version of
ruby-http-cookie on wheezy, so it is just to add this package too)
2) We tell that the fix is not important enough.
I do not see the point in trying to change the correction in some other way
for wheezy.
Thanks in advance.
Best regards,
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola at inguza.com Folkebogatan 26 \
| opal at debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160520/b005b3a6/attachment-0001.html>
More information about the Pkg-ruby-extras-maintainers
mailing list