Hi Adam, On Wed, Oct 11, 2017 at 09:15:08PM +0100, Adam D. Barratt wrote: > On Wed, 2017-10-11 at 22:08 +0200, Holger Wansing wrote: > > at https://www.debian.org/News/2017/20171007 the DSA link for ruby- > > rack-cors > > is dead: > > > > https://www.debian.org/security/2017/dsa-3931 > > > > There is no such DSA. > > And also no such announcement on https://lists.debian.org/debian-secu > > rity-announce/ > > > > It's in DSA/list in the secure-testing repository: > > [10 Aug 2017] DSA-3931-1 ruby-rack-cors - security update > {CVE-2017-11173} > [stretch] - ruby-rack-cors 0.4.0-1+deb9u1 > > which is where the stable tools got the information from to begin with. > > The package is also in http://security.debian.org/debian-security/pool/ > updates/main/r/ruby-rack-cors/ > > So it looks like the announcement went missing somehow. team@security > CCed for comment.
Indeed, it looks that the announcement at least never arived in d-s-a. I wonder if after two monts now it makes still sense to send the advisory or at least just import the text for the website. As nobody so far complained, I guess that's an indication that it's not widely used on stable (yet). Regards, Salvatore
