[DRE-maint] Bug#963477: ruby-rack: CVE-2020-8184
Salvatore Bonaccorso
carnil at debian.org
Sat Jan 2 20:04:40 GMT 2021
Hi Utkarsh,
On Sat, Jan 02, 2021 at 06:38:37PM +0530, Utkarsh Gupta wrote:
> Hi Salvatore,
>
> On Sat, Jan 2, 2021 at 5:55 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
> > > Of course. Uploaded a fix! :)
> > > (thanks for the explicit CC, please do it next time as well if you
> > > want me to take care of something which falls under the Ruby team).
> >
> > Thanks! About the explicit CC, well actually I was a bit "vary",
> > because if it's team maintained one should not start explicitly ping
> > some of the uploaders. But I'm glad if this was possible.
>
> It's not a problem, I am happy to help the security team as much as I
> possibly can (though you'd hopefully know that by now ;)).
Yes :)
>
> > Indeed there would be more ruby team maintained packages which
> > are currently no-dsa marked but maybe would be good to fix for
> > and in bullseye. There are issues for instance in ruby-faye and
> > ruby-faye-websocket as well: 967061, 959392, 967063.
>
> Eeks, sorry for not noticing them earlier. But I've uploaded a fix for all
> three of them^ :)
>
> Let me know if there are more that needs immediate fixing or so! \o/
Not any right now. Well there is CVE-2020-26247 but that one might be
too risky at this stage (AFAIU it is a breaking change, and thus ws
moved to the 1.11.x version).
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list