On 09/18/2012 03:17 PM, Moritz Mühlenhoff wrote: > tags 686867 patch > thanks > > On Thu, Sep 06, 2012 at 10:03:58PM +0200, Moritz Muehlenhoff wrote: >> Package: jruby >> Severity: grave >> Tags: security >> Justification: user security hole >> >> Hi, >> jruby in Wheezy is still affected by >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838 >> >> http://www.nruns.com/_downloads/advisory28122011.pdf >> > >> Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea? > > Wheezy has 1.5.6, not 1.6.5. > > Anyway, I've extracted the patch, it's attached. > > Cheers, > Moritz
Hello Moritz, Thank you for attaching the patch. I have it applying cleanly and am in the process of preparing an upload. However, currently the jruby package is FTBFS due to an issue with one of its build-deps, nailgun, which is installing a bad symlink. > $ ls -al /usr/share/java/nailgun* > -rw-r--r-- 1 root root 25607 Jul 18 22:54 /usr/share/java/nailgun-0.9.0.jar > -rw-r--r-- 1 root root 7048 Jul 18 22:54 > /usr/share/java/nailgun-examples-0.9.0.jar > lrwxrwxrwx 1 root root 17 Jul 18 22:54 /usr/share/java/nailgun.jar -> > nailgun-0.7.1.jar Anyway, that's a separate bug. Just wanted to comment that this bug is being worked on. Cheers, tony
signature.asc
Description: OpenPGP digital signature