[DRE-maint] Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1
Paul Gevers
elbrus at debian.org
Wed May 19 21:12:59 BST 2021
Hi,
On Sat, 15 May 2021 11:18:31 +0000 Debian FTP Masters
<ftpmaster at ftp-master.debian.org> wrote:
> rails (2:6.0.3.7+dfsg-1) unstable; urgency=high
> .
> * Upload to unstable directly.
> * New upstream version 6.0.3.7+dfsg. (Closes: #988214)
> - Prevent slow regex when parsing host authorization header.
> (Fixed: CVE-2021-22904)
> - Prevent catastrophic backtracking during mime parsing.
> (Fixes: CVE-2021-22902)
> - Prevent string polymorphic route arguments.
> (Fixes: CVE-2021-22885)
This new rails version renewed its versioned dependency on ruby-marcel.
The new ruby-marcel version doesn't look like a targeted fix, so it
doesn't fit the freeze policy. If I read the changelog correctly, this
dependency is there to give rails a more relaxed license. I think such a
change is not really needed at this stage of the freeze, does rails
still work with the old version of ruby-marcel and can the version bump
be reverted?
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20210519/dd3c1039/attachment.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list