Re: Debian LTS Security update of ruby-activerecord-3.2
Hi As yiu may have noticed the package is updated now. / Ola Sent from a phone Den 30 maj 2016 22:14 skrev "Ola Lundqvist": > Hi > > I'll make sure it is kept in dla-needed.txt. > > I must admit that I'm quite new on both ruby and other things. I seem to > manage enough to write some tests as least though. > > // Ola > > On Mon, May 30, 2016 at 8:20 PM, Guido Günther wrote: > >> On Mon, May 30, 2016 at 08:11:23PM +0200, Ola Lundqvist wrote: >> > Hi Guido >> > >> > Yes that is true. I have not solved that problem. I focused on only one >> of >> > the issues as I had to look into two packages to solve the one you refer >> > to. Great that you will have a look at that one. >> > >> > I'll upload ruby-activerecord-3.2 shortly (read today) and it will look >> > like the one I had in the directory above. But I guess it is better to >> base >> > it on the one I upload just in case. >> >> Okay. Please make sure that ruby-activerecord-3.2 stays in >> dla-needed.txt needed then since it still needs CVEs fixed. >> >> Although I know a bit of ruby I don't know much ActiveRecord, >> ActiveModel yet so in case somebody in the LTS team knows this stuff in >> and out I'm glad to pass this over. >> >> Cheers, >> -- Guido >> > > > > -- > - Ola Lundqvist --- > / o...@debian.org Folkebogatan 26 \ > | o...@inguza.com 654 68 KARLSTAD | > | http://inguza.com/ +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --- > >
Re: Debian LTS Security update of ruby-activerecord-3.2
Hi I'll make sure it is kept in dla-needed.txt. I must admit that I'm quite new on both ruby and other things. I seem to manage enough to write some tests as least though. // Ola On Mon, May 30, 2016 at 8:20 PM, Guido Güntherwrote: > On Mon, May 30, 2016 at 08:11:23PM +0200, Ola Lundqvist wrote: > > Hi Guido > > > > Yes that is true. I have not solved that problem. I focused on only one > of > > the issues as I had to look into two packages to solve the one you refer > > to. Great that you will have a look at that one. > > > > I'll upload ruby-activerecord-3.2 shortly (read today) and it will look > > like the one I had in the directory above. But I guess it is better to > base > > it on the one I upload just in case. > > Okay. Please make sure that ruby-activerecord-3.2 stays in > dla-needed.txt needed then since it still needs CVEs fixed. > > Although I know a bit of ruby I don't know much ActiveRecord, > ActiveModel yet so in case somebody in the LTS team knows this stuff in > and out I'm glad to pass this over. > > Cheers, > -- Guido > -- - Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Debian LTS Security update of ruby-activerecord-3.2
Hi Ola, On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote: > Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team > > This is my third package contribution to Debian LTS. I'm doing this as a > training exercise and this is why the maintainer have not been asked to > this for me. > > I have prepared an update of the ruby-activerecord-3.2 package with a fix > for > https://security-tracker.debian.org/tracker/CVE-2015-7577 While looking into CVE-2016-0753 of ruby-activemodel-3.2 I noticed that ruby-activerecord-3.2 is affected as well and not fixed with your proposed debdiff. I'm just looking into this atm and don't want to duplicate efforts. Cheers, -- Guido
Re: Debian LTS Security update of ruby-activerecord-3.2
Hi Guido Regarding this question: > Does it make sense to add this as an autopkgtest? Well we could do that, but I do not think it is worth the effort for a wheezy security update. In stretch (rails package, where I got the patch from) and later there is already a good unit test suite where this is tested. I'll leave it to the package maintainer to decide whether it should be tested automatically. Best regards // Ola On Fri, May 27, 2016 at 10:45 AM, Guido Güntherwrote: > Hi Ola, > On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote: > > Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team > > > > This is my third package contribution to Debian LTS. I'm doing this as a > > training exercise and this is why the maintainer have not been asked to > > this for me. > > > > I have prepared an update of the ruby-activerecord-3.2 package with a fix > > for > > https://security-tracker.debian.org/tracker/CVE-2015-7577 > > > > What i have done is to take the CVE-2015-7577.patch file from the rails > > 2:4.1.8-1+deb8u2 package in jessie. > > Two out of three chunks applied cleanly and the third one was simple to > > copy-paste in place. > > > > I have also written a very simple test application from an example. It > does > > not test the specific security problem but at least show that there is no > > Does it make sense to add this as an autopkgtest? > > > obvious regression problem. If you know of an easy way to do more > extended > > testing of this update then please let me know (or run it yourself and > let > > me know the results). As the source is so similar between the rails > package > > and this I trust that the extra test introduced in rails will cover the > > specific problem even though I have not run it specifically (it is part > of > > the whole rails suite and not trivial to extract parts of it). > > > > You can find the debdiff here: > > > http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff > > This looks good to me. > Cheers, > -- Guido > > -- - Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Debian LTS Security update of ruby-activerecord-3.2
Hi Ola, On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote: > Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team > > This is my third package contribution to Debian LTS. I'm doing this as a > training exercise and this is why the maintainer have not been asked to > this for me. > > I have prepared an update of the ruby-activerecord-3.2 package with a fix > for > https://security-tracker.debian.org/tracker/CVE-2015-7577 > > What i have done is to take the CVE-2015-7577.patch file from the rails > 2:4.1.8-1+deb8u2 package in jessie. > Two out of three chunks applied cleanly and the third one was simple to > copy-paste in place. > > I have also written a very simple test application from an example. It does > not test the specific security problem but at least show that there is no Does it make sense to add this as an autopkgtest? > obvious regression problem. If you know of an easy way to do more extended > testing of this update then please let me know (or run it yourself and let > me know the results). As the source is so similar between the rails package > and this I trust that the extra test introduced in rails will cover the > specific problem even though I have not run it specifically (it is part of > the whole rails suite and not trivial to extract parts of it). > > You can find the debdiff here: > http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff This looks good to me. Cheers, -- Guido
Debian LTS Security update of ruby-activerecord-3.2
Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team This is my third package contribution to Debian LTS. I'm doing this as a training exercise and this is why the maintainer have not been asked to this for me. I have prepared an update of the ruby-activerecord-3.2 package with a fix for https://security-tracker.debian.org/tracker/CVE-2015-7577 What i have done is to take the CVE-2015-7577.patch file from the rails 2:4.1.8-1+deb8u2 package in jessie. Two out of three chunks applied cleanly and the third one was simple to copy-paste in place. I have also written a very simple test application from an example. It does not test the specific security problem but at least show that there is no obvious regression problem. If you know of an easy way to do more extended testing of this update then please let me know (or run it yourself and let me know the results). As the source is so similar between the rails package and this I trust that the extra test introduced in rails will cover the specific problem even though I have not run it specifically (it is part of the whole rails suite and not trivial to extract parts of it). You can find the debdiff here: http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff Updated package for test is available here: http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2 If I do not hear any objections in four days I'll upload this package to wheezy security. Thanks in advance. Best regards, // Ola -- - Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---