Hi Santiago, > I have been unable to confirm the versions of these packages are > affected by CVE-2018-1000074 and CVE-2018-1000079
re. CVE-2018-1000074, it seems fairly clear. For example, here is jruby's lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb: 45 with_response response do |resp| 46 owners = YAML.load resp.body (The others are similar, if not identical.) > > Can you let me know whether you still wish to work on this package > > or whether you would — in addition — like to take the same underlying > > issue in rubygems and jruby as well? > > About ruby1.9.1, other issues have been reported meantime, and I am > waiting to fix them in the same upload. Sorry, I should have been clearer; given that that issues overlap to some degree I think it would be best if one person took them all. Are you happy to reserve the other packages in dla-needed.txt? :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-