Hi Georg On Sun, Mar 25, 2018 at 07:10:40PM +0200, Georg Faerber wrote: > Hi security team, > > On 18-03-22 17:23:48, Moritz Muehlenhoff wrote: > > On Thu, Mar 22, 2018 at 05:21:15PM +0100, Georg Faerber wrote: > > > I would like to fix CVE-2018-8048, which is currently present in > > > ruby-loofah 2.0.3-2 in stretch. Do you prefer an "straight" upload > > > done by you, or should this be instead an upload via stretch-pu? > > > > > > In any case, I'll prepare a patch. > > > > Thanks. I think we should fix this via security.debian.org > > Please find the debdiff below. Changes pushed to git [1] in branch > stretch/backports. > > Please note: The first iteration of the patch didn't included DEP3 > headers. Also, I didn't added the new test case. After review of the > Ruby team, I've changed this. I've removed blank lines included in the > upstream commit to keep the delta as small as possible. The debdiff looks good per se. Regarding stripping the comments and empty lines, that would not have been a requirement. If it helps future backports just keep them, if the comments are descriptive and help one can keep those as well. If you were able to test sufficiently ruby-loofah with the fix in production please do upload (If I see it correctly you will need a sponsored upload). Make sure to have the upload built with -sa since it's the first ruby-loofah upload for stretch security-master is seeing. Regards, Salvatore
Attachment:
signature.asc
Description: PGP signature