On Sat, Nov 04, 2017 at 10:45:06PM +0000, Adam D. Barratt wrote: > On Sat, 2017-11-04 at 22:08 +0100, Salvatore Bonaccorso wrote: > > Hi Antonio > > > > Sorry for the late reply > > > > On Mon, Oct 23, 2017 at 11:49:28AM -0200, Antonio Terceiro wrote: > > > Hi security team, > > > > > > I have prepared a security update for ruby2.3. > > > > > > It includes all the pending recent CVE's, plus a fix for a bug that > > > causes runaway child processes hogging the CPU, noticed at least in > > > puppet. > > > > For the later one, not directly a security issue, strictly speaking > > we > > would need an ack from the SRM to see they would ack it to a point > > release and then we can pick it as well for a security update. The > > patch though looks confined enough that I would trust it's okay as > > well for SRM to see it included (Cc'ed explicity Adam). > > Assuming that's "0005-thread_pthread.c-do-not-wakeup-inside-child- > processe.patch", it looks okay to me.
Thanks. > As I've previously mentioned to Salvatore in another discussion, the > fact that the patch hasn't been applied in unstable, afaict, doesn't > fit our usual requirements for accepting patches in stable. I > understand there are reasons for that, and the upload going via the > security archive does make things slightly easier from that > perspective, but as thinks stand I imagine we'll end up pushing +deb9u2 > into unstable during the next point release, as we did with +deb9u1 > recently. If I upload these changes to unstable myself (with a properly adjusted version number), does that make it easier for you? I have not been doing that because ruby2.3 won't be shipped in buster anyway, but I would rather consume my time as maintainer than yours as stable release manager.
signature.asc
Description: PGP signature
