(fixed the subject to mention the right package) On Fri, May 20, 2016 at 01:02:11PM +0200, Ola Lundqvist wrote: > Hi ruby-rest-client maintainer(s) and Debian LTS team > > This is my second contribution to Debian LTS and this time I need some > advice. This fix require a dependency on ruby-http-cookie which is not in > wheezy. > > I have prepared an update of the ruby-rest-client package to correct the > problem described in > https://security-tracker.debian.org/tracker/CVE-2015-1820 > (I have not fixed CVE-2015-3448 as it was marked as "no DSA" in the > security tracker). > > The change was simple as the fix was in jessie 1.6.7-6 with a prepared > patch. So I have simply copied the patch file and series file to the > debian/patch directory, changed the changelog and control file and rebuilt. > > The prepared package is here: > http://apt.inguza.net/wheezy-security/ruby-rest-client > The debdiff is here: > http://apt.inguza.net/wheezy-security/ruby-rest-client/debdiff-against-previous-version-in-wheezy.patch > > I see two options: > 1) I upload this fix above and we introduce the ruby-http-cookie (its > dependencies are already there, I have tested with the jessie version of > ruby-http-cookie on wheezy, so it is just to add this package too) > 2) We tell that the fix is not important enough. > I do not see the point in trying to change the correction in some other way > for wheezy.
Can you introduce new packages in LTS? If you can, then just doing that and using the patch that was applied in jessie is probably good enough.
signature.asc
Description: PGP signature
