Hi Renan, Thanks for looking into this. Your rationale of not packaging the latest release makes sense to me. I did a quick skimming of the changelog between v2.9.1 and v2.13.2 and found two fixed issues that are somewhat concerning, especially [2]:
[1] Fix a potential crash in large negative floating point number generation Release: v2.12.1 Commit: https://github.com/ruby/json/commit/d73ae93d3cf7f58a83d4aef4392f48c4de8c11a5 [2] Fix a potential crash in the C extension parser. Release: v2.10.2 Commit: https://github.com/ruby/json/commit/cf242d89a0523bacd5238a59c77b33411b8c3208 [2] fixes an out-of-bound write for malformed utf-8 sequences. Do you think not including this will have security implications? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115398 Title: [MIR] ruby-json To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ruby-json/+bug/2115398/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
