Hmm, you're right the reassignment was wrong. I missed that when I was reassigning the bugs to new packages.
I thought I already sent that to redmine maintainer and the result was that it's the redmine which needs the update. On Thu, Jun 9, 2011 at 11:10, Jérémy Lal <kapo...@melix.org> wrote: > On 09/06/2011 10:18, Ondřej Surý wrote: >> Hi Jérémy, >> >> since my ruby is not very good, the question is if we want to release >> update for redmine or is there a simple way how to fix the API inside >> the rails? > > the bug report might be misleading : html_safe may have been unavailable > even before the security update. I remember i had an issue with this at some > point. > I noticed 2.3.5-1.2+squeeze0.1 is not in the git repository, could you fix > that ? > > Jérémy. and from previous rails maintainer: On Sat, Jun 11, 2011 at 04:01, Adam Majer <ad...@zombino.com> wrote: > On Wed, Jun 08, 2011 at 05:02:52PM +0200, Scharon, Daniel wrote: >> This bug is caused by a regression within rails, which was introduced in >> the upgrade from 2.3.5-1.2 to 2.3.5-1.2+squeeze0.1 >> >> See #629067 for the bug report on rails, which is containing a >> workaround. > > I think the proper fix is to remove reference to nonexistent html_safe > method which doesn't exist in 2.3.5 rails. OpenSUSE has correct fix. > > - Adam Adam, could you please elaborate on this? Do you mean the correct fix for rails or for redmine? O. On Mon, Sep 5, 2011 at 16:34, Faidon Liambotis <parav...@debian.org> wrote: > reassign 629067 libactionpack-ruby > found 629067 rails/2.3.5-1.2+squeeze0.1 > severity 629067 grave > thanks > > On Fri, Jun 03, 2011 at 12:26:27PM +0200, Vincent-Xavier JUMEL wrote: >> Package: libactionpack-ruby >> Version: 2.3.5-1.2+squeeze0.1 >> Severity: normal >> >> libactionpack update breaks redmine user view if hide_mail is not enabled. >> Redmine renderer fails on an inexistant html_safe method >> >> Workaround : change user preference to hidden mail >> psql> update user_preference set hide_mail = 't' where hide_mail = 'f' ; > > This was reassigned to ruby-actionpack-2.3 (present only in wheezy+) but > it's not really obvious why — no explanative mail was sent to the BTS > and the bug report remains unanswered. > > If it affects another package in wheezy, then it should probably be > cloned/reassigned instead. > > I'm reassigning it back and changing this severity: this was a security > update that broke an unrelated package (redmine) *in stable*. This is > /not/ acceptable according to the security team's guidelines. > > You could say that either the fix should be adapted or that the call > sites (redmine) should be fixed. I'd vote for the first, though, since > we can't really know what else has been broken by this change (in the > archive, let alone user-installed applications...) > > In any case, I'm adding redmine maintainers & the security team to the > Cc in case they have something useful to add. > > Regards, > Faidon > -- Ondřej Surý <ond...@sury.org> http://blog.rfc1925.org/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
