Re: RFS: ruby-loofah 2.2.1-1 (CVE-2018-8048)

2018-03-23 Thread Cédric Boutillier 
Hi,

On Thu, Mar 22, 2018 at 01:25:07AM +0100, Georg Faerber wrote:

> On 18-03-22 01:04:23, Cédric Boutillier wrote:
> > On Wed, Mar 21, 2018 at 11:35:57PM +0100, Georg Faerber wrote:
> > > Please review / upload ruby-loofah 2.2.1-1, which fixes
> > > CVE-2018-8048. Changes pushed to git in branch d/2.2.1-1.
> > 
> > Can you add a short description for the CVE in the changelog (like
> > 'prevents cross-site scripting')?

> Sure, fixed in git.

I uploaded ruby-loofah.

> > This new version breaks two tests in ruby-rails-html-sanitizer (some
> > spaces changed in the output). I didn't check if there was some update
> > for this package which would reflect this.

> I was kind of afraid that this might happen.. :/ Should I take this to
> rails-html-sanitizer upstream, and ask for input on this? There doesn't
> seem to be much activity, honestly. Also, there is no update, the last
> commit was made 2017/05/12. Or should we rather fix the tests on our
> own?

I reported the issue upstream:
https://github.com/rails/rails-html-sanitizer/issues/70

Since we have already a patch to disable some tests (due to us not using
nokogiri's embedded version of libxml2), we can disable these two tests
for now (probably with another patch, to ease its removal when the issue
is fixed upstream).

> (Also, because I would like to do my "homework": How do I test rdepends
> with a new version of a dependency?)

You can use the script "build" in the master repository. It will
automatically try to build build-reverse dependencies and run the test
suite of reverse dependencies.




signature.asc
Description: PGP signature

Re: RFS: ruby-loofah 2.2.1-1 (CVE-2018-8048)

2018-03-22 Thread Georg Faerber 
On 18-03-22 01:33:20, Chris Hofstaedtler wrote:
> * Georg Faerber  [180322 01:29]:
> > On 18-03-22 01:04:23, Cédric Boutillier wrote:
> > > Can you also take care of applying the patch to the version currently
> > > in stable and contact the security team for a proposed update for
> > > stretch?
> > 
> > Actually, aren't proposed uploads targeted at point releases? If so,
> > this might take a while, as the last one just happened recently.
> > Shouldn't this be instead a "straight" upload by the security team?
> > I still would create the patch.
> 
> This decision is in the hands of the security team. In any case you
> can prepare the patch/debdiff, and, if they are not going to upload
> it, retarget to stretch (instead of stretch-security).

Thanks for clarifying.

> To save some work you can try asking on #debian-security first :-)

People advised to instead write a mail, which I did just now, because
some team members aren't on IRC.

Cheers,
Georg


signature.asc
Description: Digital signature

Re: RFS: ruby-loofah 2.2.1-1 (CVE-2018-8048)

2018-03-21 Thread Chris Hofstaedtler 
* Georg Faerber  [180322 01:29]:
> On 18-03-22 01:04:23, Cédric Boutillier wrote:
> > Can you also take care of applying the patch to the version currently
> > in stable and contact the security team for a proposed update for
> > stretch?
> 
> Actually, aren't proposed uploads targeted at point releases? If so,
> this might take a while, as the last one just happened recently.
> Shouldn't this be instead a "straight" upload by the security team? I
> still would create the patch.

This decision is in the hands of the security team. In any case you
can prepare the patch/debdiff, and, if they are not going to upload
it, retarget to stretch (instead of stretch-security).

To save some work you can try asking on #debian-security first :-)

Chris

Re: RFS: ruby-loofah 2.2.1-1 (CVE-2018-8048)

2018-03-21 Thread Georg Faerber 
On 18-03-22 01:04:23, Cédric Boutillier wrote:
> Can you also take care of applying the patch to the version currently
> in stable and contact the security team for a proposed update for
> stretch?

Actually, aren't proposed uploads targeted at point releases? If so,
this might take a while, as the last one just happened recently.
Shouldn't this be instead a "straight" upload by the security team? I
still would create the patch.


signature.asc
Description: Digital signature