On Wed, 19 May 2021 22:12:59 +0200 Paul Gevers <elb...@debian.org>
wrote:
> Hi,
>
> On Sat, 15 May 2021 11:18:31 +0000 Debian FTP Masters
> <ftpmas...@ftp-master.debian.org> wrote:
> > rails (2:6.0.3.7+dfsg-1) unstable; urgency=high
> > .
> > * Upload to unstable directly.
> > * New upstream version 6.0.3.7+dfsg. (Closes: #988214)
> > - Prevent slow regex when parsing host authorization header.
> > (Fixed: CVE-2021-22904)
> > - Prevent catastrophic backtracking during mime parsing.
> > (Fixes: CVE-2021-22902)
> > - Prevent string polymorphic route arguments.
> > (Fixes: CVE-2021-22885)
>
> This new rails version renewed its versioned dependency on
ruby-marcel.
> The new ruby-marcel version doesn't look like a targeted fix, so it
> doesn't fit the freeze policy. If I read the changelog correctly,
this
> dependency is there to give rails a more relaxed license. I think
such a
> change is not really needed at this stage of the freeze, does rails
> still work with the old version of ruby-marcel and can the version
bump
> be reverted?
>
> Paul
>
The only reverse dependency on ruby-marcel is rails.
pravi@ilvala2:~$ reverse-depends ruby-marcel
Reverse-Depends
* ruby-activestorage
Packages without architectures listed are reverse-dependencies in: all,
amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x
pravi@ilvala2:~$ reverse-depends -b ruby-marcel
Reverse-Build-Depends
* rails
So I think the possible impact of this bump is limited to rails itself
and going back to older version is more work and long term maintenance
diverging from upstream. Would it be possible to give an exception for
ruby-marcel?
