Hi Ola, I had a look in this package a couple of weeks ago and I found the same problem. I discussed it with Antonio and I think that we can skip this package instead of add a new dependency in wheezy. We guess that implement a cookie_jar "by hand" is not a good idea :)
Cheers, Em sex, 20 de mai de 2016 08:02, Ola Lundqvist <[email protected]> escreveu: > Hi ruby-rest-client maintainer(s) and Debian LTS team > > This is my second contribution to Debian LTS and this time I need some > advice. This fix require a dependency on ruby-http-cookie which is not in > wheezy. > > I have prepared an update of the ruby-rest-client package to correct the > problem described in > https://security-tracker.debian.org/tracker/CVE-2015-1820 > (I have not fixed CVE-2015-3448 as it was marked as "no DSA" in the > security tracker). > > The change was simple as the fix was in jessie 1.6.7-6 with a prepared > patch. So I have simply copied the patch file and series file to the > debian/patch directory, changed the changelog and control file and rebuilt. > > The prepared package is here: > http://apt.inguza.net/wheezy-security/ruby-rest-client > The debdiff is here: > > http://apt.inguza.net/wheezy-security/ruby-rest-client/debdiff-against-previous-version-in-wheezy.patch > > I see two options: > 1) I upload this fix above and we introduce the ruby-http-cookie (its > dependencies are already there, I have tested with the jessie version of > ruby-http-cookie on wheezy, so it is just to add this package too) > 2) We tell that the fix is not important enough. > I do not see the point in trying to change the correction in some other > way for wheezy. > > Thanks in advance. > > Best regards, > > // Ola > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > / [email protected] Folkebogatan 26 \ > | [email protected] 654 68 KARLSTAD | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --------------------------------------------------------------- > >
