Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: rm
Hi Stable release managers, [X-Debbugs-CC to Antonio Terceiro] Please remove ruby-simple-form on the next stretch point release. It was back in #923847 removed in unstable, has no reverse dependencies and apart of the removal reasons there has now as well CVE-2019-16676. https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx Given it is unused, instead of going ahead of either trying to fix that or mark it as no-dsa and defer a fix via a point release it might make sense to just remove it on next point release time. Regards, Salvatore