Re: RFS: ruby-loofah 2.2.1-1 (CVE-2018-8048)
Hi, On Thu, Mar 22, 2018 at 01:25:07AM +0100, Georg Faerber wrote: > On 18-03-22 01:04:23, Cédric Boutillier wrote: > > On Wed, Mar 21, 2018 at 11:35:57PM +0100, Georg Faerber wrote: > > > Please review / upload ruby-loofah 2.2.1-1, which fixes > > > CVE-2018-8048. Changes pushed to git in branch d/2.2.1-1. > > > > Can you add a short description for the CVE in the changelog (like > > 'prevents cross-site scripting')? > Sure, fixed in git. I uploaded ruby-loofah. > > This new version breaks two tests in ruby-rails-html-sanitizer (some > > spaces changed in the output). I didn't check if there was some update > > for this package which would reflect this. > I was kind of afraid that this might happen.. :/ Should I take this to > rails-html-sanitizer upstream, and ask for input on this? There doesn't > seem to be much activity, honestly. Also, there is no update, the last > commit was made 2017/05/12. Or should we rather fix the tests on our > own? I reported the issue upstream: https://github.com/rails/rails-html-sanitizer/issues/70 Since we have already a patch to disable some tests (due to us not using nokogiri's embedded version of libxml2), we can disable these two tests for now (probably with another patch, to ease its removal when the issue is fixed upstream). > (Also, because I would like to do my "homework": How do I test rdepends > with a new version of a dependency?) You can use the script "build" in the master repository. It will automatically try to build build-reverse dependencies and run the test suite of reverse dependencies. signature.asc Description: PGP signature
Re: RFS: ruby-loofah 2.2.1-1 (CVE-2018-8048)
On 18-03-22 01:33:20, Chris Hofstaedtler wrote: > * Georg Faerber[180322 01:29]: > > On 18-03-22 01:04:23, Cédric Boutillier wrote: > > > Can you also take care of applying the patch to the version currently > > > in stable and contact the security team for a proposed update for > > > stretch? > > > > Actually, aren't proposed uploads targeted at point releases? If so, > > this might take a while, as the last one just happened recently. > > Shouldn't this be instead a "straight" upload by the security team? > > I still would create the patch. > > This decision is in the hands of the security team. In any case you > can prepare the patch/debdiff, and, if they are not going to upload > it, retarget to stretch (instead of stretch-security). Thanks for clarifying. > To save some work you can try asking on #debian-security first :-) People advised to instead write a mail, which I did just now, because some team members aren't on IRC. Cheers, Georg signature.asc Description: Digital signature
Re: RFS: ruby-loofah 2.2.1-1 (CVE-2018-8048)
* Georg Faerber[180322 01:29]: > On 18-03-22 01:04:23, Cédric Boutillier wrote: > > Can you also take care of applying the patch to the version currently > > in stable and contact the security team for a proposed update for > > stretch? > > Actually, aren't proposed uploads targeted at point releases? If so, > this might take a while, as the last one just happened recently. > Shouldn't this be instead a "straight" upload by the security team? I > still would create the patch. This decision is in the hands of the security team. In any case you can prepare the patch/debdiff, and, if they are not going to upload it, retarget to stretch (instead of stretch-security). To save some work you can try asking on #debian-security first :-) Chris
Re: RFS: ruby-loofah 2.2.1-1 (CVE-2018-8048)
On 18-03-22 01:04:23, Cédric Boutillier wrote: > Can you also take care of applying the patch to the version currently > in stable and contact the security team for a proposed update for > stretch? Actually, aren't proposed uploads targeted at point releases? If so, this might take a while, as the last one just happened recently. Shouldn't this be instead a "straight" upload by the security team? I still would create the patch. signature.asc Description: Digital signature