On Tue, Dec 10, 2013 at 05:31:33PM +0100, Moritz Muehlenhoff wrote: > Package: libruby1.8 > Version: 1.8.7.358-8 > Severity: serious > File: ruby1.8 > > There are already three Ruby releases in Jessie. > > Also quoting from > https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ > : > > | Please note that Ruby 1.8 series or any earlier releases are already > obsoleted. There is no > | plan to release new FIXED versions for them. Users of such versions are > advised to upgrade > | as soon as possible as we cannot guarantee the continued availability of > security fixes for > | unsupported releases. > > So ruby1.8 should be removed for jessie.
The transition to be able to do this is being worked on since mid-2013: http://release.debian.org/transitions/html/ruby1.8-removal.html It's not easy given the amount, relevance and depth of the reverse dependency chain. The situation at the beginning was a lot worse, but we will get there. more information on https://wiki.debian.org/Teams/Ruby/Jessie (the Ruby 1.8 removal is the very first item; the status of those work items are not up to date, e.g. several of the ones in "TODO" are actually "WIP"). -- Antonio Terceiro <terce...@debian.org>
signature.asc
Description: Digital signature
