Re: Please review ruby-rack security fix CVE-2019-16782

To: Youhei SASAKI <uwabami@gfd-dennou.org>
Cc: debian-ruby <debian-ruby@lists.debian.org>
Subject: Re: Please review ruby-rack security fix CVE-2019-16782
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Sun, 22 Dec 2019 16:16:07 +0530
Message-id: <[🔎] d5b17b3d-d96a-d5e2-054a-8bba122f1e35@gmail.com>
In-reply-to: <[🔎] 87k16patza.wl-uwabami@gfd-dennou.org>
References: <[🔎] 87k16patza.wl-uwabami@gfd-dennou.org>

Hiya,

On 22/12/19 9:32 am, Youhei SASAKI wrote:
> Hi folks,
>
> I pushed security fix(CVE-2019-16782) of ruby-rack package for buster.
>
>   branch: https://salsa.debian.org/ruby-team/ruby-rack/tree/buster
>   CVE info: https://security-tracker.debian.org/tracker/CVE-2019-16782
>
> Please review this branch.

Only a couple of days back, I sent a mail[1] to the security team,
asking them to *not* upload ruby-rack to Jessie, Stretch, Buster.
Reason being, the patch upstream provides introduces a regression,
resulting in some issues in using the library.
Also, there's a slight possibility of this patch inducing a backdoor on
it's own.

Both the issues have been opened upstream.
What I'd suggest is to patch this CVE when both of the above issues are
fixed, too.
Let me know if you have any questions?

Best,
Utkarsh
---
[1]: https://lists.debian.org/debian-lts/2019/12/msg00050.html

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Please review ruby-rack security fix CVE-2019-16782
  - From: Youhei SASAKI <uwabami@gfd-dennou.org>

References:
- Please review ruby-rack security fix CVE-2019-16782
  - From: Youhei SASAKI <uwabami@gfd-dennou.org>

Prev by Date: Please review ruby-rack security fix CVE-2019-16782
Next by Date: Re: Giving Debian Janitor commit access
Previous by thread: Please review ruby-rack security fix CVE-2019-16782
Next by thread: Re: Please review ruby-rack security fix CVE-2019-16782
Index(es):
- Date
- Thread