[DRE-maint] Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1
Pirate Praveen
praveen at onenetbeyond.org
Thu May 20 18:06:37 BST 2021
On Wed, 19 May 2021 22:12:59 +0200 Paul Gevers <elbrus at debian.org>
wrote:
> Hi,
>
> On Sat, 15 May 2021 11:18:31 +0000 Debian FTP Masters
> <ftpmaster at ftp-master.debian.org> wrote:
> > rails (2:6.0.3.7+dfsg-1) unstable; urgency=high
> > .
> > * Upload to unstable directly.
> > * New upstream version 6.0.3.7+dfsg. (Closes: #988214)
> > - Prevent slow regex when parsing host authorization header.
> > (Fixed: CVE-2021-22904)
> > - Prevent catastrophic backtracking during mime parsing.
> > (Fixes: CVE-2021-22902)
> > - Prevent string polymorphic route arguments.
> > (Fixes: CVE-2021-22885)
>
> This new rails version renewed its versioned dependency on
ruby-marcel.
> The new ruby-marcel version doesn't look like a targeted fix, so it
> doesn't fit the freeze policy. If I read the changelog correctly,
this
> dependency is there to give rails a more relaxed license. I think
such a
> change is not really needed at this stage of the freeze, does rails
> still work with the old version of ruby-marcel and can the version
bump
> be reverted?
>
> Paul
>
The only reverse dependency on ruby-marcel is rails.
pravi at ilvala2:~$ reverse-depends ruby-marcel
Reverse-Depends
* ruby-activestorage
Packages without architectures listed are reverse-dependencies in: all,
amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x
pravi at ilvala2:~$ reverse-depends -b ruby-marcel
Reverse-Build-Depends
* rails
So I think the possible impact of this bump is limited to rails itself
and going back to older version is more work and long term maintenance
diverging from upstream. Would it be possible to give an exception for
ruby-marcel?
More information about the Pkg-ruby-extras-maintainers
mailing list