Utkarsh Gupta <guptautkarsh2...@gmail.com> writes: > Please don't yet patch CVE-2019-16782 for Buster, Stretch, Jessie, et al. > This security update induces a regression, resulting in some issues in > using the library. > Also, there's a slight possibility of this patch inducing a backdoor on > it's own. > > The issues have already been opened to/with the upstream and I hope > they're looking into it. > P.S. Shall update here when available :)
Do you have any references to the upstream issue regarding the possible backdoor? I see: https://github.com/rack/rack/issues/1431 https://github.com/rack/rack/issues/1432 https://github.com/rack/rack/issues/1433 Apparently the regression is unavoidable - see https://github.com/rack/rack/issues/1432#issuecomment-571688819 Which in turn generated controversy - is it OK to cause breakage if it fixes a known security issue? https://github.com/rack/rack/issues/1432#issuecomment-571701768 This might rule out being able to provide fixes for Buster and Jessie. Oh, I see, #1431 mentions the possible backdoor; a claim that was disputed. It also seems like "I agree that the vulnerability is not that great and does take substantial time to pull off." - wonder if it even worth trying to fix this for anything other then unstable+testing. -- Brian May <b...@debian.org>