Bug#986806: CVE-2021-28965
Hi Pirate, On Sun, Apr 18, 2021 at 10:26:31PM +0530, Pirate Praveen wrote: > On Sun, 18 Apr 2021 15:04:56 +0200 Salvatore Bonaccorso > wrote: > > Hi, > > > > On Sat, Apr 17, 2021 at 10:34:24PM +0530, Pirate Praveen wrote: > > > > > > > > > On Sat, Apr 17, 2021 at 10:16 pm, Utkarsh Gupta > wrote: > > > > Makes sense. Probably the time to RM ruby-rexml from the archive is > > > > *now*? > > > > > > Requested removal from archive in #987101 > > > > Thanks for filling the removal! > > > > I fear this has though some additional work to be done, trying to > > simulate the removal the following is shown: > > > > Will remove the following packages from sid: > > > > ruby-rexml |3.2.4-2 | source, all > > > > Maintainer: Debian Ruby Extras Maintainers > > > > > --- Reason --- > > > > -- > > > > Checking reverse dependencies... > > # Broken Depends: > > ruby-kramdown: ruby-kramdown > > > > # Broken Build-Depends: > > ruby-kramdown: ruby-rexml > > > > Dependency problem found. > > > > Can you change tue Build-Depends of ruby-kramdown? > > I think that is a bug in dak, as libruby2.7 Provides ruby-rexml. Ack, I see. Regards, Salvatore
Bug#986806: CVE-2021-28965
On Sun, 18 Apr 2021 15:04:56 +0200 Salvatore Bonaccorso wrote: > Hi, > > On Sat, Apr 17, 2021 at 10:34:24PM +0530, Pirate Praveen wrote: > > > > > > On Sat, Apr 17, 2021 at 10:16 pm, Utkarsh Gupta wrote: > > > Makes sense. Probably the time to RM ruby-rexml from the archive is > > > *now*? > > > > Requested removal from archive in #987101 > > Thanks for filling the removal! > > I fear this has though some additional work to be done, trying to > simulate the removal the following is shown: > > Will remove the following packages from sid: > > ruby-rexml |3.2.4-2 | source, all > > Maintainer: Debian Ruby Extras Maintainers > > --- Reason --- > > -- > > Checking reverse dependencies... > # Broken Depends: > ruby-kramdown: ruby-kramdown > > # Broken Build-Depends: > ruby-kramdown: ruby-rexml > > Dependency problem found. > > Can you change tue Build-Depends of ruby-kramdown? I think that is a bug in dak, as libruby2.7 Provides ruby-rexml.
Bug#986806: CVE-2021-28965
Hi, On Sat, Apr 17, 2021 at 10:34:24PM +0530, Pirate Praveen wrote: > > > On Sat, Apr 17, 2021 at 10:16 pm, Utkarsh Gupta wrote: > > Makes sense. Probably the time to RM ruby-rexml from the archive is > > *now*? > > Requested removal from archive in #987101 Thanks for filling the removal! I fear this has though some additional work to be done, trying to simulate the removal the following is shown: Will remove the following packages from sid: ruby-rexml |3.2.4-2 | source, all Maintainer: Debian Ruby Extras Maintainers --- Reason --- -- Checking reverse dependencies... # Broken Depends: ruby-kramdown: ruby-kramdown # Broken Build-Depends: ruby-kramdown: ruby-rexml Dependency problem found. Can you change tue Build-Depends of ruby-kramdown? Regards, Salvatore
Bug#986806: CVE-2021-28965
On Sat, Apr 17, 2021 at 10:16 pm, Utkarsh Gupta wrote: Makes sense. Probably the time to RM ruby-rexml from the archive is *now*? Requested removal from archive in #987101
Bug#986806: CVE-2021-28965
Hi Praveen, On Fri, Apr 16, 2021 at 3:24 PM Pirate Praveen wrote: > I think the separate package was introduced by mistake without seeing > the copy embedded in ruby. I think the right way is to fix this in ruby > and remove this separate package. But I'd like someone from ruby team > to confirm this. Makes sense. Probably the time to RM ruby-rexml from the archive is *now*? As for fixing this in src:ruby2.7, see #986742. TL;DR: ruby2.7 2.7.3-1 was uploaded to fix this earlier today. - u
Bug#986806: CVE-2021-28965
On Fri, Apr 16, 2021 at 03:22:24PM +0530, Pirate Praveen wrote: > On Mon, 12 Apr 2021 12:05:29 +0200 Moritz Muehlenhoff > wrote: > > https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/ > > > > Why is there a separate package duplicating rexml from src:ruby2.7 in > bullseye? > > I think the separate package was introduced by mistake without seeing the > copy embedded in ruby. I think the right way is to fix this in ruby and > remove this separate package. But I'd like someone from ruby team to confirm > this. agreed. signature.asc Description: PGP signature
Bug#986806: CVE-2021-28965
On Mon, 12 Apr 2021 12:05:29 +0200 Moritz Muehlenhoff wrote: > https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/ > > Why is there a separate package duplicating rexml from src:ruby2.7 in bullseye? I think the separate package was introduced by mistake without seeing the copy embedded in ruby. I think the right way is to fix this in ruby and remove this separate package. But I'd like someone from ruby team to confirm this.
Bug#986806: CVE-2021-28965
Package: ruby-rexml Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/ Why is there a separate package duplicating rexml from src:ruby2.7 in bullseye? Cheers, Moritz