subject:"Debian LTS Security update of ruby\-activerecord\-3.2"

Re: Debian LTS Security update of ruby-activerecord-3.2

2016-05-31 Thread Ola Lundqvist

Hi

As yiu may have noticed the package is updated now.

/ Ola

Sent from a phone
Den 30 maj 2016 22:14 skrev "Ola Lundqvist" :

> Hi
>
> I'll make sure it is kept in dla-needed.txt.
>
> I must admit that I'm quite new on both ruby and other things. I seem to
> manage enough to write some tests as least though.
>
> // Ola
>
> On Mon, May 30, 2016 at 8:20 PM, Guido Günther  wrote:
>
>> On Mon, May 30, 2016 at 08:11:23PM +0200, Ola Lundqvist wrote:
>> > Hi Guido
>> >
>> > Yes that is true. I have not solved that problem. I focused on only one
>> of
>> > the issues as I had to look into two packages to solve the one you refer
>> > to. Great that you will have a look at that one.
>> >
>> > I'll upload ruby-activerecord-3.2 shortly (read today) and it will look
>> > like the one I had in the directory above. But I guess it is better to
>> base
>> > it on the one I upload just in case.
>>
>> Okay. Please make sure that ruby-activerecord-3.2 stays in
>> dla-needed.txt needed then since it still needs CVEs fixed.
>>
>> Although I know a bit of ruby I don't know much ActiveRecord,
>> ActiveModel yet so in case somebody in the LTS team knows this stuff in
>> and out I'm glad to pass this over.
>>
>> Cheers,
>>  -- Guido
>>
>
>
>
> --
>  - Ola Lundqvist ---
> /  o...@debian.org Folkebogatan 26  \
> |  o...@inguza.com  654 68 KARLSTAD  |
> |  http://inguza.com/  +46 (0)70-332 1551   |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
>  ---
>
>

Re: Debian LTS Security update of ruby-activerecord-3.2

2016-05-30 Thread Ola Lundqvist

Hi

I'll make sure it is kept in dla-needed.txt.

I must admit that I'm quite new on both ruby and other things. I seem to
manage enough to write some tests as least though.

// Ola

On Mon, May 30, 2016 at 8:20 PM, Guido Günther  wrote:

> On Mon, May 30, 2016 at 08:11:23PM +0200, Ola Lundqvist wrote:
> > Hi Guido
> >
> > Yes that is true. I have not solved that problem. I focused on only one
> of
> > the issues as I had to look into two packages to solve the one you refer
> > to. Great that you will have a look at that one.
> >
> > I'll upload ruby-activerecord-3.2 shortly (read today) and it will look
> > like the one I had in the directory above. But I guess it is better to
> base
> > it on the one I upload just in case.
>
> Okay. Please make sure that ruby-activerecord-3.2 stays in
> dla-needed.txt needed then since it still needs CVEs fixed.
>
> Although I know a bit of ruby I don't know much ActiveRecord,
> ActiveModel yet so in case somebody in the LTS team knows this stuff in
> and out I'm glad to pass this over.
>
> Cheers,
>  -- Guido
>



-- 
 - Ola Lundqvist ---
/  o...@debian.org Folkebogatan 26  \
|  o...@inguza.com  654 68 KARLSTAD  |
|  http://inguza.com/  +46 (0)70-332 1551   |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---

Re: Debian LTS Security update of ruby-activerecord-3.2

2016-05-30 Thread Guido Günther

Hi Ola,
On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote:
> Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team
> 
> This is my third package contribution to Debian LTS. I'm doing this as a
> training exercise and this is why the maintainer have not been asked to
> this for me.
> 
> I have prepared an update of the ruby-activerecord-3.2 package with a fix
> for
> https://security-tracker.debian.org/tracker/CVE-2015-7577

While looking into CVE-2016-0753 of ruby-activemodel-3.2 I noticed that
ruby-activerecord-3.2 is affected as well and not fixed with your
proposed debdiff. I'm just looking into this atm and don't want to
duplicate efforts.

Cheers,
 -- Guido

Re: Debian LTS Security update of ruby-activerecord-3.2

2016-05-27 Thread Ola Lundqvist

Hi Guido

Regarding this question:

> Does it make sense to add this as an autopkgtest?


Well we could do that, but I do not think it is worth the effort for a
wheezy security update.
In stretch (rails package, where I got the patch from) and later there is
already a good unit test suite where this is tested. I'll leave it to the
package maintainer to decide whether it should be tested automatically.

Best regards

// Ola


On Fri, May 27, 2016 at 10:45 AM, Guido Günther  wrote:

> Hi Ola,
> On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote:
> > Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team
> >
> > This is my third package contribution to Debian LTS. I'm doing this as a
> > training exercise and this is why the maintainer have not been asked to
> > this for me.
> >
> > I have prepared an update of the ruby-activerecord-3.2 package with a fix
> > for
> > https://security-tracker.debian.org/tracker/CVE-2015-7577
> >
> > What i have done is to take the CVE-2015-7577.patch file from the rails
> > 2:4.1.8-1+deb8u2 package in jessie.
> > Two out of three chunks applied cleanly and the third one was simple to
> > copy-paste in place.
> >
> > I have also written a very simple test application from an example. It
> does
> > not test the specific security problem but at least show that there is no
>
> Does it make sense to add this as an autopkgtest?
>
> > obvious regression problem. If you know of an easy way to do more
> extended
> > testing of this update then please let me know (or run it yourself and
> let
> > me know the results). As the source is so similar between the rails
> package
> > and this I trust that the extra test introduced in rails will cover the
> > specific problem even though I have not run it specifically (it is part
> of
> > the whole rails suite and not trivial to extract parts of it).
> >
> > You can find the debdiff here:
> >
> http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff
>
> This looks good to me.
> Cheers,
>  -- Guido
>
>


-- 
 - Ola Lundqvist ---
/  o...@debian.org Folkebogatan 26  \
|  o...@inguza.com  654 68 KARLSTAD  |
|  http://inguza.com/  +46 (0)70-332 1551   |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---

Re: Debian LTS Security update of ruby-activerecord-3.2

2016-05-27 Thread Guido Günther

Hi Ola,
On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote:
> Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team
> 
> This is my third package contribution to Debian LTS. I'm doing this as a
> training exercise and this is why the maintainer have not been asked to
> this for me.
> 
> I have prepared an update of the ruby-activerecord-3.2 package with a fix
> for
> https://security-tracker.debian.org/tracker/CVE-2015-7577
> 
> What i have done is to take the CVE-2015-7577.patch file from the rails
> 2:4.1.8-1+deb8u2 package in jessie.
> Two out of three chunks applied cleanly and the third one was simple to
> copy-paste in place.
> 
> I have also written a very simple test application from an example. It does
> not test the specific security problem but at least show that there is no

Does it make sense to add this as an autopkgtest?

> obvious regression problem. If you know of an easy way to do more extended
> testing of this update then please let me know (or run it yourself and let
> me know the results). As the source is so similar between the rails package
> and this I trust that the extra test introduced in rails will cover the
> specific problem even though I have not run it specifically (it is part of
> the whole rails suite and not trivial to extract parts of it).
> 
> You can find the debdiff here:
> http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff

This looks good to me.
Cheers,
 -- Guido

Debian LTS Security update of ruby-activerecord-3.2

2016-05-26 Thread Ola Lundqvist

Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team

This is my third package contribution to Debian LTS. I'm doing this as a
training exercise and this is why the maintainer have not been asked to
this for me.

I have prepared an update of the ruby-activerecord-3.2 package with a fix
for
https://security-tracker.debian.org/tracker/CVE-2015-7577

What i have done is to take the CVE-2015-7577.patch file from the rails
2:4.1.8-1+deb8u2 package in jessie.
Two out of three chunks applied cleanly and the third one was simple to
copy-paste in place.

I have also written a very simple test application from an example. It does
not test the specific security problem but at least show that there is no
obvious regression problem. If you know of an easy way to do more extended
testing of this update then please let me know (or run it yourself and let
me know the results). As the source is so similar between the rails package
and this I trust that the extra test introduced in rails will cover the
specific problem even though I have not run it specifically (it is part of
the whole rails suite and not trivial to extract parts of it).

You can find the debdiff here:
http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff

Updated package for test is available here:
http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2

If I do not hear any objections in four days I'll upload this package to
wheezy security.

Thanks in advance.

Best regards,

// Ola


-- 
 - Ola Lundqvist ---
/  o...@debian.org Folkebogatan 26  \
|  o...@inguza.com  654 68 KARLSTAD  |
|  http://inguza.com/  +46 (0)70-332 1551   |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---

Re: Debian LTS Security update of ruby-activerecord-3.2

Re: Debian LTS Security update of ruby-activerecord-3.2

Re: Debian LTS Security update of ruby-activerecord-3.2

Re: Debian LTS Security update of ruby-activerecord-3.2

Re: Debian LTS Security update of ruby-activerecord-3.2

Debian LTS Security update of ruby-activerecord-3.2

6 matches

Site Navigation

Mail list logo

Footer information