Hi Guido Regarding this question:
> Does it make sense to add this as an autopkgtest? Well we could do that, but I do not think it is worth the effort for a wheezy security update. In stretch (rails package, where I got the patch from) and later there is already a good unit test suite where this is tested. I'll leave it to the package maintainer to decide whether it should be tested automatically. Best regards // Ola On Fri, May 27, 2016 at 10:45 AM, Guido Günther <a...@sigxcpu.org> wrote: > Hi Ola, > On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote: > > Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team > > > > This is my third package contribution to Debian LTS. I'm doing this as a > > training exercise and this is why the maintainer have not been asked to > > this for me. > > > > I have prepared an update of the ruby-activerecord-3.2 package with a fix > > for > > https://security-tracker.debian.org/tracker/CVE-2015-7577 > > > > What i have done is to take the CVE-2015-7577.patch file from the rails > > 2:4.1.8-1+deb8u2 package in jessie. > > Two out of three chunks applied cleanly and the third one was simple to > > copy-paste in place. > > > > I have also written a very simple test application from an example. It > does > > not test the specific security problem but at least show that there is no > > Does it make sense to add this as an autopkgtest? > > > obvious regression problem. If you know of an easy way to do more > extended > > testing of this update then please let me know (or run it yourself and > let > > me know the results). As the source is so similar between the rails > package > > and this I trust that the extra test introduced in rails will cover the > > specific problem even though I have not run it specifically (it is part > of > > the whole rails suite and not trivial to extract parts of it). > > > > You can find the debdiff here: > > > http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff > > This looks good to me. > Cheers, > -- Guido > > -- --------------------- Ola Lundqvist --------------------------- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------