Hi Santiago, Thanks for looking into this and keeping the security-team as well in the loop (really appreciated).
On Fri, Aug 21, 2015 at 11:12:28AM +0200, Santiago Ruano Rincón wrote: > Hi, > > I've taken a look to > https://security-tracker.debian.org/tracker/CVE-2009-5147 > in the 1.8 and 1.9.1 versions of ruby and I am unsure if they deserve a > DLA/DSA by their own. > > I've been unable to find more information to take advantage of this > issue, and other vendors consider this as low priority and even wontfix. > > For squeeze, the patches are already on the collab-maint repos. I can do > it for wheezy too. Do you think it's ok to wait to upload them along > with a further and more important fix? I think we should mark it as no-dsa for wheezy and jessie (2.1). When looking at the issue I added some furhter notes attached to the CVE, but keept the TODO: check, so that other might double-check this. Regards, Salvatore
