On 06.08.2014 23:28, Michael Stahnke wrote: > > > <snip> > > > > Could you give me a list of packages with problems so I can do the second part? > So the packages in question are: rubygem-actionmailer, rubygem-actionpack, rubygem-activerecord, rubygem-activeresource, rubygem-activesupport, rubygem-rails, rubygem-rack and rubygems. These are relevant bugzillas: > > https://bugzilla.redhat.com/show_bug.cgi?id=1115776 > https://bugzilla.redhat.com/show_bug.cgi?id=1095129 > https://bugzilla.redhat.com/show_bug.cgi?id=1095127 > https://bugzilla.redhat.com/show_bug.cgi?id=1095125 > https://bugzilla.redhat.com/show_bug.cgi?id=1095122 > https://bugzilla.redhat.com/show_bug.cgi?id=1095120 > https://bugzilla.redhat.com/show_bug.cgi?id=1095118 > https://bugzilla.redhat.com/show_bug.cgi?id=961066 > https://bugzilla.redhat.com/show_bug.cgi?id=948706 > https://bugzilla.redhat.com/show_bug.cgi?id=924318 > https://bugzilla.redhat.com/show_bug.cgi?id=924297 > https://bugzilla.redhat.com/show_bug.cgi?id=905374 > https://bugzilla.redhat.com/show_bug.cgi?id=905373 > https://bugzilla.redhat.com/show_bug.cgi?id=891468 > https://bugzilla.redhat.com/show_bug.cgi?id=847202 > https://bugzilla.redhat.com/show_bug.cgi?id=843924 > https://bugzilla.redhat.com/show_bug.cgi?id=831583 > https://bugzilla.redhat.com/show_bug.cgi?id=731453 > https://bugzilla.redhat.com/show_bug.cgi?id=731451 > https://bugzilla.redhat.com/show_bug.cgi?id=731450 > https://bugzilla.redhat.com/show_bug.cgi?id=677629 > https://bugzilla.redhat.com/show_bug.cgi?id=1097205 > https://bugzilla.redhat.com/show_bug.cgi?id=909088 > https://bugzilla.redhat.com/show_bug.cgi?id=814725 > https://bugzilla.redhat.com/show_bug.cgi?id=771152 > https://bugzilla.redhat.com/show_bug.cgi?id=771151 > > Looks scary, but it the end it`s just rails, rubygems and rack. All of these are co-maintained with Michael Stahnke, which I have no luck contacting either. There are actually more unfixed vulnerabilities, but I am confident they can be fixed by more active maintainers. > > > > > Hey, sorry for not getting some of these updated (you also didn't stay on #fedora-ruby long enough for me to respond). I find that updating many of these breaks API, because ruby library authors are really good at fixing security problems while introducing new issues. Many of them I didn't think I could update in EPEL -- for example moving rails from 2.x to 3.x is a HUGE change. > > Rubygems got rolled into ruby upstream - so the old rubygems isn't maintained upstream. > > Rack I should fix - they are good at compatibility. > > > I also welcome any co-maintainers on these items. I used to use these packages lots from EPEL, at my current workplace I don't really. Thank you for the reply ! So this depends from one vulnerability to another, but in general we don`t necessarily have to (and according to EPEL guidelines we really shouldn`t) update to next major version just to fix the vulnerability. For example: https://bugzilla.redhat.com/show_bug.cgi?id=731450 is for Rails 2.x in EPEL 5, but backporting a fix (https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd) is easy. So please respond to my mail from July and we can start working through these - I`m happy to help you with fix for each of these issues. Thanks ! -- Jan Rusnacko, Fedora Security Team -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
