Hi Daniel, congratulations on your first update!
Some notes: 1) to be consistent with all other updates please do not add the suffix in the version number 2) t is not quite a team upload. Better use "dch --lts" which converts to "* Non-maintainer upload by the LTS Security Team." 3) Please check, why piuparts is failing on CI. 4) Regarding behavioral change... I cannot evaluate without the context. Maybe someone else from LTS team or the original maintainer can help. Best regards Anton Am Mo., 13. März 2023 um 23:18 Uhr schrieb Daniel Leidert < dleid...@debian.org>: > Hi there, > > I prepared my first LTS update. You can find it here: > > https://salsa.debian.org/lts-team/packages/ruby-loofah > > When I ran some test cases to see if all the vulnerabilities are fixed, > I discovered that there is a slight behavioral change: > > As part of the fix for CVE-2022-23516, loofah will no longer remove > nested <script> sections, but escape the tags instead. They also > adjusted their tests for that. To demonstrate: > > This: > > <div><script><script>alert(1);</script></script></div> > > resulted in: > > <div>alert(1);</div> > > and now it results in: > > > <div><script><script>alert(1);</script></script></div> > > What do you think? I wonder if that is an acceptable change? > > if you have any other feedback, please don't hesitate to leave it here. > > Regards, Daniel >