On Sat, 2017-11-04 at 22:08 +0100, Salvatore Bonaccorso wrote: > Hi Antonio > > Sorry for the late reply > > On Mon, Oct 23, 2017 at 11:49:28AM -0200, Antonio Terceiro wrote: > > Hi security team, > > > > I have prepared a security update for ruby2.3. > > > > It includes all the pending recent CVE's, plus a fix for a bug that > > causes runaway child processes hogging the CPU, noticed at least in > > puppet. > > For the later one, not directly a security issue, strictly speaking > we > would need an ack from the SRM to see they would ack it to a point > release and then we can pick it as well for a security update. The > patch though looks confined enough that I would trust it's okay as > well for SRM to see it included (Cc'ed explicity Adam).
Assuming that's "0005-thread_pthread.c-do-not-wakeup-inside-child- processe.patch", it looks okay to me. As I've previously mentioned to Salvatore in another discussion, the fact that the patch hasn't been applied in unstable, afaict, doesn't fit our usual requirements for accepting patches in stable. I understand there are reasons for that, and the upload going via the security archive does make things slightly easier from that perspective, but as thinks stand I imagine we'll end up pushing +deb9u2 into unstable during the next point release, as we did with +deb9u1 recently. Regards, Adam
