Debian Bug report logs - #988214
CVE-2021-22885 CVE-2021-22902 CVE-2021-22904

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2021-22885 CVE-2021-22902 CVE-2021-22904

Date: Fri, 07 May 2021 21:35:30 +0200

Package: rails
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

CVE-2021-22904:
https://github.com/rails/rails/commit/d861fa8ade353390c4419b53a6c6b41f3005b1f2 (v6.0.3.7)

CVE-2021-22902:
Fixed by: https://github.com/rails/rails/commit/446afbd15360a347c923ca775b21a286dcb5297a (v6.0.3.7)

CVE-2021-22885:
https://github.com/rails/rails/commit/f202249bdd701f908a57d733e633d366a982f8ce (v6.0.3.7)

Cheers,
        Moritz	

Message #14 received at 988214-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 988214-close@bugs.debian.org

Subject: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Sat, 15 May 2021 11:18:31 +0000

Source: rails
Source-Version: 2:6.0.3.7+dfsg-1
Done: Utkarsh Gupta <utkarsh@debian.org>

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 988214@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <utkarsh@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 15 May 2021 16:05:45 +0530
Source: rails
Architecture: source
Version: 2:6.0.3.7+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Closes: 988214
Changes:
 rails (2:6.0.3.7+dfsg-1) unstable; urgency=high
 .
   * Upload to unstable directly.
   * New upstream version 6.0.3.7+dfsg. (Closes: #988214)
     - Prevent slow regex when parsing host authorization header.
       (Fixed: CVE-2021-22904)
     - Prevent catastrophic backtracking during mime parsing.
       (Fixes: CVE-2021-22902)
     - Prevent string polymorphic route arguments.
       (Fixes: CVE-2021-22885)
Checksums-Sha1:
 edb93d233eb36940900d1c5df718def0a259345d 4841 rails_6.0.3.7+dfsg-1.dsc
 c93bf6d051c280503aea30877f686f20c5118483 13967752 rails_6.0.3.7+dfsg.orig.tar.xz
 fb9ff2f2682104fdb7133bb27c6f6970ee10a624 98020 rails_6.0.3.7+dfsg-1.debian.tar.xz
 eb7063efdba6e7159798854fcb358f4db693f01e 34312 rails_6.0.3.7+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 b35361415eff1467a176cf864d94c74dbd33caa89703a9ae6bb1147c375cfacb 4841 rails_6.0.3.7+dfsg-1.dsc
 f1adfb152227b0b840a85f3c326db91191149021adb2c5afbed99c6d32a94582 13967752 rails_6.0.3.7+dfsg.orig.tar.xz
 8b60bfe7a8f3b767b4a81b63f0f139e7c1652c32b9e02e5be395b2bf775e1312 98020 rails_6.0.3.7+dfsg-1.debian.tar.xz
 d4de1b95372e160a0d33b4e99e43147ae654e7a194e2a3e5c5f0b5ff27ff4c02 34312 rails_6.0.3.7+dfsg-1_amd64.buildinfo
Files:
 6df793d6c3bd3d27d559c929619b4af5 4841 ruby optional rails_6.0.3.7+dfsg-1.dsc
 9a2058e157560ede7b3a206d6f521d84 13967752 ruby optional rails_6.0.3.7+dfsg.orig.tar.xz
 0d72459d196a4be55592a9cc46255559 98020 ruby optional rails_6.0.3.7+dfsg-1.debian.tar.xz
 a090d9db499272fd768866b1d0752de4 34312 ruby optional rails_6.0.3.7+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCfp0ETHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlqakD/40KhfE97OMLEUlvHxQ/TSidvleoLNU
gxhyouxTj+cYcphScsbjBCa626ooRdIPQd0HY0t7z5QqDOcocsQILDaVwnsqGUDO
CMBfxGAlED2fYcjJAtk1cUbIB/7vqwsJGRJUhsynnRimuGsEGzyrPm18+gK36ZdJ
tWu5NFSy1+g4//ylIcW8P4DD2nY5gFeddMwoJ+myQfZENcXKQ+l1toDaA7EGZTal
abA0dNkgdY0SrVRUkRORzTJaOSBrK1SrH1B+h5EZ5CIv+PDMQdnzlkUrRhEUk19L
bKi0ksUDClfx/xc5nJR0btwf/ZGSJMXD72oUJOoAhklu4i7A94J7avPxg5876wBg
0pR7BJXZn9RL9aanJFN2Ie0uSXQguSDfnOabY2Vi4ZVgkJcFaP9k9e3o0G+LfE0g
DoNZht35LuduiwT2E0gnCUuNqjVmeIa6Y29AetWKMjlQ7KPOrjtUq0lAXV9w0zIj
72qcORBIKiZ4WnqEhW/i6JALXPqyVID9oyhEPUWqK7/RxwuP52/j2ciUBbxy4BqK
KhQCDjsh7/uStATNlkoxZz/pCPt4/SxOvg9PiWsI8/yfXpRJiXYfx4etASP0MA1d
zespmxGzl11X7QvN0UhZpp6jA8cT19XshS/8n3R9VM34jgeNYKXi95bZrmEFQOrb
sJEoO0B1/lZoFg==
=ItQZ
-----END PGP SIGNATURE-----

Message #19 received at 988214@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 988214@bugs.debian.org

Subject: Re: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Wed, 19 May 2021 22:12:59 +0200

[Message part 1 (text/plain, inline)]

Hi,

On Sat, 15 May 2021 11:18:31 +0000 Debian FTP Masters
<ftpmaster@ftp-master.debian.org> wrote:
>  rails (2:6.0.3.7+dfsg-1) unstable; urgency=high
>  .
>    * Upload to unstable directly.
>    * New upstream version 6.0.3.7+dfsg. (Closes: #988214)
>      - Prevent slow regex when parsing host authorization header.
>        (Fixed: CVE-2021-22904)
>      - Prevent catastrophic backtracking during mime parsing.
>        (Fixes: CVE-2021-22902)
>      - Prevent string polymorphic route arguments.
>        (Fixes: CVE-2021-22885)

This new rails version renewed its versioned dependency on ruby-marcel.
The new ruby-marcel version doesn't look like a targeted fix, so it
doesn't fit the freeze policy. If I read the changelog correctly, this
dependency is there to give rails a more relaxed license. I think such a
change is not really needed at this stage of the freeze, does rails
still work with the old version of ruby-marcel and can the version bump
be reverted?

Paul

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #24 received at 988214@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@onenetbeyond.org>

To: 988214@bugs.debian.org

Cc: Paul Gevers <elbrus@debian.org>

Subject: Re: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Thu, 20 May 2021 22:36:37 +0530

On Wed, 19 May 2021 22:12:59 +0200 Paul Gevers <elbrus@debian.org> 
wrote:
> Hi,
>
> On Sat, 15 May 2021 11:18:31 +0000 Debian FTP Masters
> <ftpmaster@ftp-master.debian.org> wrote:
> >  rails (2:6.0.3.7+dfsg-1) unstable; urgency=high
> >  .
> >    * Upload to unstable directly.
> >    * New upstream version 6.0.3.7+dfsg. (Closes: #988214)
> >      - Prevent slow regex when parsing host authorization header.
> >        (Fixed: CVE-2021-22904)
> >      - Prevent catastrophic backtracking during mime parsing.
> >        (Fixes: CVE-2021-22902)
> >      - Prevent string polymorphic route arguments.
> >        (Fixes: CVE-2021-22885)
>
> This new rails version renewed its versioned dependency on 
ruby-marcel.
> The new ruby-marcel version doesn't look like a targeted fix, so it
> doesn't fit the freeze policy. If I read the changelog correctly, 
this
> dependency is there to give rails a more relaxed license. I think 
such a
> change is not really needed at this stage of the freeze, does rails
> still work with the old version of ruby-marcel and can the version 
bump
> be reverted?
>
> Paul
>

The only reverse dependency on ruby-marcel is rails.

pravi@ilvala2:~$ reverse-depends ruby-marcel
Reverse-Depends
* ruby-activestorage

Packages without architectures listed are reverse-dependencies in: all, 
amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x
pravi@ilvala2:~$ reverse-depends -b ruby-marcel
Reverse-Build-Depends
* rails

So I think the possible impact of this bump is limited to rails itself 
and going back to older version is more work and long term maintenance 
diverging from upstream. Would it be possible to give an exception for 
ruby-marcel?

Message #29 received at 988214@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Pirate Praveen <praveen@onenetbeyond.org>, 988214@bugs.debian.org

Subject: Re: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Thu, 20 May 2021 19:43:36 +0200

[Message part 1 (text/plain, inline)]

Hi Pirate,

On 20-05-2021 19:06, Pirate Praveen wrote:
> Would it be possible to give an exception for
> ruby-marcel?

I already said, the changes in ruby-marcel are much more than what we
give exceptions for. The new ruby-marcel is not a targeted fix according
to our freeze policy. If rails just works with the old ruby-marcel and
the "only" reason for the version bump is the change of license, then
please downgrade the versioned dependency in rails again. If there are
(much) more changes in rails because of the new ruby-marcel, then please
elaborate, but then lets have an unblock request to discuss things.

Paul

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #34 received at 988214@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Paul Gevers <elbrus@debian.org>

Cc: 988214@bugs.debian.org

Subject: Re: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Mon, 24 May 2021 15:05:15 +0530

Hi Paul,

On Wed, 19 May 2021 22:12:59 +0200 Paul Gevers <elbrus@debian.org> wrote:
> This new rails version renewed its versioned dependency on ruby-marcel.
> The new ruby-marcel version doesn't look like a targeted fix, so it
> doesn't fit the freeze policy. If I read the changelog correctly, this
> dependency is there to give rails a more relaxed license. I think such a
> change is not really needed at this stage of the freeze, does rails
> still work with the old version of ruby-marcel and can the version bump
> be reverted?

Apologies, I missed (naturally because it wasn't copied) the conversation
on this bug prior to opening an unblock request for both.

Whilst I agree that ruby-marcel isn't really a targeted fix, I believe the
bump was necessary to maintain sanity with future bug-fix releases of rails.
I've been trying to maintain rails from sid (back to jessie), ensuring that the
CVEs are at least timely fixed. During that course, I've hit a lot of bumps
because of the version gaps, et al, so in this release I wanted rails to be
at par with its supported bug-fix only release (that is, the 6.0.3.x branch).

6.0.3.6 brings in an unusual change by bumping ruby-marcel to 1.0.0. But
after a lot of testing, sanity checking, et al, I found that the changes in
marcel are a no-op, that is, it doesn't really affect how marcel was before
and it is now. Marcel wanted to drop mimemagic dependency and so they
introduced a Magic class (Marcel::Magic) for mime type detection.

I know that it doesn't go along with the freeze policy atm, but I also believe
that it's not really something that'd actually cause problems. IIUC, the
bump doesn't really affect much but just does things differently internally.
So is this edge case worth giving an exception along those lines?

The bump shall yield nothing but (really) help in providing support to rails
for the next couple of years in/for bullseye (at least while it's
still supported).
Let me know what you think? Thanks!


- u

Message #39 received at 988214@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Utkarsh Gupta <utkarsh@debian.org>

Cc: 988214@bugs.debian.org, 989037@bugs.debian.org, Debian bugs control server <control@bugs.debian.org>

Subject: Re: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Thu, 27 May 2021 21:51:03 +0200

[Message part 1 (text/plain, inline)]

tag 989037 moreinfo
thanks

Hi,

On 24-05-2021 11:35, Utkarsh Gupta wrote:
> On Wed, 19 May 2021 22:12:59 +0200 Paul Gevers <elbrus@debian.org> wrote:
>> This new rails version renewed its versioned dependency on ruby-marcel.
>> The new ruby-marcel version doesn't look like a targeted fix, so it
>> doesn't fit the freeze policy. If I read the changelog correctly, this
>> dependency is there to give rails a more relaxed license. I think such 
a
>> change is not really needed at this stage of the freeze, does rails
>> still work with the old version of ruby-marcel and can the version bump
>> be reverted?
> 
> Apologies, I missed (naturally because it wasn't copied) the conversation
> on this bug prior to opening an unblock request for both.
> 
> Whilst I agree that ruby-marcel isn't really a targeted fix, I believe the
> bump was necessary to maintain sanity with future bug-fix releases of rails.
> I've been trying to maintain rails from sid (back to jessie), ensuring that the
> CVEs are at least timely fixed. During that course, I've hit a lot of bumps
> because of the version gaps, et al, so in this release I wanted rails to be
> at par with its supported bug-fix only release (that is, the 6.0.3.x branch).
> 
> 6.0.3.6 brings in an unusual change by bumping ruby-marcel to 1.0.0. But
> after a lot of testing, sanity checking, et al, I found that the changes in
> marcel are a no-op, that is, it doesn't really affect how marcel was before
> and it is now. Marcel wanted to drop mimemagic dependency and so they
> introduced a Magic class (Marcel::Magic) for mime type detection.
> 
> I know that it doesn't go along with the freeze policy atm, but I also believe
> that it's not really something that'd actually cause problems. IIUC, the
> bump doesn't really affect much but just does things differently internally.
> So is this edge case worth giving an exception along those lines?
> 
> The bump shall yield nothing but (really) help in providing support to rails
> for the next couple of years in/for bullseye (at least while it's
> still supported).
> Let me know what you think? Thanks!

You haven't answered my question: "does rails still work with the old
version of ruby-marcel and can the version bump be reverted"

Paul

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #44 received at 988214@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Utkarsh Gupta <utkarsh@debian.org>

Cc: 988214@bugs.debian.org

Subject: Re: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Thu, 3 Jun 2021 22:08:14 +0200

[Message part 1 (text/plain, inline)]

Hi Utkarsh,

On 27-05-2021 21:51, Paul Gevers wrote:
> You haven't answered my question: "does rails still work with the old
> version of ruby-marcel and can the version bump be reverted"

Ping. Without a proper answer, I can't decide.

Paul

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #49 received at 988214@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Paul Gevers <elbrus@debian.org>, 989037@bugs.debian.org

Cc: 988214@bugs.debian.org

Subject: Re: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Fri, 4 Jun 2021 14:56:25 +0530

Hi Paul,

On Fri, Jun 4, 2021 at 1:38 AM Paul Gevers <elbrus@debian.org> wrote:
> > You haven't answered my question: "does rails still work with the old
> > version of ruby-marcel and can the version bump be reverted"
>
> Ping. Without a proper answer, I can't decide.

Thanks, I'm yet to figure that out and hopefully do this on weekend.
If it were to work with the older ruby-marcel, can I then just push
the newer rails to bullseye directly? Now that marcel's at v1.0 in
unstable, I don't want to downgrade again.


- u

Message #54 received at 988214@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Utkarsh Gupta <utkarsh@debian.org>, 989037@bugs.debian.org

Cc: 988214@bugs.debian.org

Subject: Re: Bug#989037: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Sun, 6 Jun 2021 06:14:43 +0200

[Message part 1 (text/plain, inline)]

Hi Utkarsh,

On 04-06-2021 11:26, Utkarsh Gupta wrote:
> On Fri, Jun 4, 2021 at 1:38 AM Paul Gevers <elbrus@debian.org> wrote:
>>> You haven't answered my question: "does rails still work with the old
>>> version of ruby-marcel and can the version bump be reverted"
>>
>> Ping. Without a proper answer, I can't decide.
> 
> Thanks, I'm yet to figure that out and hopefully do this on weekend.
> If it were to work with the older ruby-marcel, can I then just push
> the newer rails to bullseye directly? Now that marcel's at v1.0 in
> unstable, I don't want to downgrade again.

I am hoping it's possible to just downgrade the *dependency* in rails
only, such that the upload can happen via unstable. There is no "direct
bullseye" route. Or do you expect you'll have to make (lots) of changes
to rails to match the right ruby-marcel package? If that's the case,
than ruby-marcel/unstable isn't a drop in replacement for
ruby-marcel/bullseye and I'd expect that ruby-marcel/unstable would need
a versioned Breaks for reverse dependent packages (ruby-activestorage),
but I'm not seeing that.

Paul

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #59 received at 988214-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 988214-close@bugs.debian.org

Subject: Bug#988214: fixed in rails 2:5.2.2.1+dfsg-1+deb10u3

Date: Fri, 11 Jun 2021 09:47:17 +0000

Source: rails
Source-Version: 2:5.2.2.1+dfsg-1+deb10u3
Done: Utkarsh Gupta <utkarsh@debian.org>

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 988214@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <utkarsh@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 06 Jun 2021 18:26:33 +0530
Source: rails
Binary: rails ruby-actioncable ruby-actionmailer ruby-actionpack ruby-actionview ruby-activejob ruby-activemodel ruby-activerecord ruby-activestorage ruby-activesupport ruby-rails ruby-railties
Architecture: source all
Version: 2:5.2.2.1+dfsg-1+deb10u3
Distribution: buster-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Description:
 rails      - MVC ruby based framework geared for web application development (
 ruby-actioncable - WebSocket framework for Rails (part of Rails)
 ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
 ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
 ruby-actionview - framework for handling view template lookup and rendering (part o
 ruby-activejob - job framework with pluggable queues
 ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
 ruby-activerecord - object-relational mapper framework (part of Rails)
 ruby-activestorage - Local and cloud file storage framework (part of Rails)
 ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
 ruby-rails - MVC ruby based framework geared for web application development
 ruby-railties - tools for creating, working with, and running Rails applications
Closes: 988214
Changes:
 rails (2:5.2.2.1+dfsg-1+deb10u3) buster-security; urgency=high
 .
   * Add patch to prevent string polymorphic route
     arguments. (Fixes: CVE-2021-22885) (Closes: #988214)
   * Add patch to prevent slow regex when parsing host auth
     header. (Fixes: CVE-2021-22904) (Closes: #988214)
   * Add patch to fix possible DoS vector in PostgreSQL
     money type. (Fixes: CVE-2021-22880)
Checksums-Sha1:
 9d5047a25ac27487f7328de7334eac22c3036c17 4417 rails_5.2.2.1+dfsg-1+deb10u3.dsc
 89e94af74ee9bc3229d4e6ef1af562ccd3313662 6143580 rails_5.2.2.1+dfsg.orig.tar.xz
 ec2e3944b7a6e7555bc85b866d47725d8a9b1586 96060 rails_5.2.2.1+dfsg-1+deb10u3.debian.tar.xz
 47d53a2dbc10b0e8724d5bf5f0c6a3c923343204 14892 rails_5.2.2.1+dfsg-1+deb10u3_all.deb
 f368b03e1b08b73b7cc41f824e416ac380d4fda7 22124 rails_5.2.2.1+dfsg-1+deb10u3_amd64.buildinfo
 7d79676eff035379fe2928a0b4ed5a3ef082f89e 42272 ruby-actioncable_5.2.2.1+dfsg-1+deb10u3_all.deb
 67a33fbc951d16d2d325161c6eec19a70c549fc8 38004 ruby-actionmailer_5.2.2.1+dfsg-1+deb10u3_all.deb
 0fce34b992f03630997281d5fa425d021d93d0fa 184320 ruby-actionpack_5.2.2.1+dfsg-1+deb10u3_all.deb
 6c1b1e7251a969784f8593dfacc593523626db92 144196 ruby-actionview_5.2.2.1+dfsg-1+deb10u3_all.deb
 00e96767499fb7af868952c4e8c4a6e8f4d606b1 34852 ruby-activejob_5.2.2.1+dfsg-1+deb10u3_all.deb
 38901a079cac0ba508dfe99af81feff2f0fedd99 60596 ruby-activemodel_5.2.2.1+dfsg-1+deb10u3_all.deb
 ba158a22c8a44a6f42ad89aa65bf59f61613c404 289936 ruby-activerecord_5.2.2.1+dfsg-1+deb10u3_all.deb
 ddc1937f09601c7b6eac0d9de6ada687e72896dc 49492 ruby-activestorage_5.2.2.1+dfsg-1+deb10u3_all.deb
 32c69cd26b2b6d7ac790b1eb41e70b71ba76b95e 239588 ruby-activesupport_5.2.2.1+dfsg-1+deb10u3_all.deb
 a6d5619f9cb889f1dc1ac39b3256b69f587a7e1f 19032 ruby-rails_5.2.2.1+dfsg-1+deb10u3_all.deb
 8e1bc9a4e47d6fe6a61e0ccb55275bb8100a1d50 224292 ruby-railties_5.2.2.1+dfsg-1+deb10u3_all.deb
Checksums-Sha256:
 a2eb15613c1329f5e955eb15cd08ea5a152c0d3e6dfa40feeb371f46abb92d45 4417 rails_5.2.2.1+dfsg-1+deb10u3.dsc
 152ca2e473cd10de7fe319e145fac7165368d136b115b37ac5f7e261dc98fa60 6143580 rails_5.2.2.1+dfsg.orig.tar.xz
 2be97b7c34ece28bb28be4ba59265524db657e80ad324466a07d0ff6f1f97066 96060 rails_5.2.2.1+dfsg-1+deb10u3.debian.tar.xz
 9706811bac8858be0325b31a9eeb8a845c1a7f91e65a0cc8f303ab400542d93d 14892 rails_5.2.2.1+dfsg-1+deb10u3_all.deb
 65f2df52f5e7b3364cc7af0c96b3063dcbea02afd760ede41de2d977e1bd9cbb 22124 rails_5.2.2.1+dfsg-1+deb10u3_amd64.buildinfo
 0685171409ac696ba1cd4c04a2dc637bb45a4ec2c3a44cf3656f66350d372f4c 42272 ruby-actioncable_5.2.2.1+dfsg-1+deb10u3_all.deb
 2e3d4ddf10f84e260c124114524d72e81a4e546a8404afb8650ea0f464bee252 38004 ruby-actionmailer_5.2.2.1+dfsg-1+deb10u3_all.deb
 791323b9e2b6df1f3835d73563f3babb5eaf2ce2ad5a7a21ab8277e0b345b9e0 184320 ruby-actionpack_5.2.2.1+dfsg-1+deb10u3_all.deb
 78463f329c08168ef18e7f57df0465f853e1d83971266a90872c21a166219c37 144196 ruby-actionview_5.2.2.1+dfsg-1+deb10u3_all.deb
 70eec2ec1900a9c2f5ae26218f9e39d42091ba1b671359ec5f6c308f34ae30d9 34852 ruby-activejob_5.2.2.1+dfsg-1+deb10u3_all.deb
 dd115b2ec8012db487bee9bd0d8a9905af292d5e619d7fea6607a2c12376ef86 60596 ruby-activemodel_5.2.2.1+dfsg-1+deb10u3_all.deb
 f7c11b55cfd53e32be423439ec6d083d9b397072b77a0bf167afc4fce8e9147e 289936 ruby-activerecord_5.2.2.1+dfsg-1+deb10u3_all.deb
 0c1f2b45b638196c8c7fc7d435fe192c8d921966c5cc69e428ff618a8cd8aff4 49492 ruby-activestorage_5.2.2.1+dfsg-1+deb10u3_all.deb
 dd02ab904f7e5f2b1b8a285552b0273471f2dcae1a3bdb415f0f24eeef3ed29c 239588 ruby-activesupport_5.2.2.1+dfsg-1+deb10u3_all.deb
 b684edfd1a418ea7ab9fbde71abb02e2e019a7befa65460229435f7b2bd1d3ad 19032 ruby-rails_5.2.2.1+dfsg-1+deb10u3_all.deb
 aa8597a4116c5751b245a43521ef898a636f9e7b15c081f0637e8f5c9456ac75 224292 ruby-railties_5.2.2.1+dfsg-1+deb10u3_all.deb
Files:
 7022ef0e1043ee86991f6d1aa6a40499 4417 ruby optional rails_5.2.2.1+dfsg-1+deb10u3.dsc
 e7a6fc5e34aa81571b98d962770e290e 6143580 ruby optional rails_5.2.2.1+dfsg.orig.tar.xz
 d94f3a78993835dfd1ad5f59872415ef 96060 ruby optional rails_5.2.2.1+dfsg-1+deb10u3.debian.tar.xz
 5e734e17fe77f16a15db1b930f94b762 14892 ruby optional rails_5.2.2.1+dfsg-1+deb10u3_all.deb
 31a33b089920e7c7fa31124c80a844a9 22124 ruby optional rails_5.2.2.1+dfsg-1+deb10u3_amd64.buildinfo
 a7624167540b509036bd65462a15e7d1 42272 ruby optional ruby-actioncable_5.2.2.1+dfsg-1+deb10u3_all.deb
 6282c13a2d71e0b67d09321aebc49c43 38004 ruby optional ruby-actionmailer_5.2.2.1+dfsg-1+deb10u3_all.deb
 3ac17bfb7a51199cb6831ee54be26287 184320 ruby optional ruby-actionpack_5.2.2.1+dfsg-1+deb10u3_all.deb
 326c9de1df8609615b2b4dbab3237bf2 144196 ruby optional ruby-actionview_5.2.2.1+dfsg-1+deb10u3_all.deb
 e6fea028ce34de196eaff40c37ae2fe4 34852 ruby optional ruby-activejob_5.2.2.1+dfsg-1+deb10u3_all.deb
 cf4d069d2c89c866efd682c4bea93c8a 60596 ruby optional ruby-activemodel_5.2.2.1+dfsg-1+deb10u3_all.deb
 dbe74f4e53fc59d16ebe951a75b09dc4 289936 ruby optional ruby-activerecord_5.2.2.1+dfsg-1+deb10u3_all.deb
 f63ebc294d524852db5a676e8d475c59 49492 ruby optional ruby-activestorage_5.2.2.1+dfsg-1+deb10u3_all.deb
 c225a8d283506eeecb1d083bca776545 239588 ruby optional ruby-activesupport_5.2.2.1+dfsg-1+deb10u3_all.deb
 474b6f4efb843749d4018749469b216b 19032 ruby optional ruby-rails_5.2.2.1+dfsg-1+deb10u3_all.deb
 c3924ace77bcb393b8273923c073c5b7 224292 ruby optional ruby-railties_5.2.2.1+dfsg-1+deb10u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmC8xzkTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlu5ED/4yZWGG1sDhqXcXLRrRSCndLPZiVfJ0
soSyFAOa21FPB8h7ffhxQb+TScOxBqaaKnZX8d9SGpO/LgRhug0mQaa4buXQhrwD
fU0ZtUjfR9XUttfC5mD8QWhkruBf6xhNtBiwJtKhicekmeDHwWY6b8HEjCgFHugv
PxhWqq83Owleu50oJADIhEKLDoDMtZSsn3eAkRHCz6mB3redsR8Tt+mGjUgVfPl1
xRDLqTMjVqvta3qdI+LtY/JUWbj6gOTRMwBdLH2ZqYTrOEun/CaZ5sqcPsakX8ct
KU7moGr4pCaEHn4PiD2zyFWn8qg67nHjkhgtNyebNAd5JMjEQh0ex5Pf04Ij+iyv
8hWXhaKcVZSDWbco5ZTVCIcJMddecXxpQm1E7Dm5OP4nx46hplkUnh0oQeYasQV7
nAbYrwUp9Pb7t7OYVKPkI6CyUipjd+JDWVLqnUEqprp+t/+zJ+4+1jXZuIaEhjH5
si/WX79UcaHVWA2aTtX1TP20oRGoj6bVPEOFjcisNqBOMHA6LFHkNFkiLCcfEYmV
WLVEOUeIEgu6ZcSIZATxzfXCUP1wh19VrPO9AYbofklAca3yYzHwcykKbscDlGKO
j17EjR9WGXuigkR2AvOeouR0nc/KoXSbHkuUty3+4H7x/birIUB33GvGM6uZpyg2
PHhLqh9MO29aAA==
=mFBA
-----END PGP SIGNATURE-----

Message #64 received at 988214@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Utkarsh Gupta <utkarsh@debian.org>, 989037@bugs.debian.org

Cc: 988214@bugs.debian.org

Subject: Re: Bug#989037: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Fri, 18 Jun 2021 22:23:39 +0200

[Message part 1 (text/plain, inline)]

Hi Utkarsh

On 06-06-2021 06:14, Paul Gevers wrote:
> I am hoping it's possible to just downgrade the *dependency* in rails
> only, such that the upload can happen via unstable. There is no "direct
> bullseye" route. Or do you expect you'll have to make (lots) of changes
> to rails to match the right ruby-marcel package? If that's the case,
> than ruby-marcel/unstable isn't a drop in replacement for
> ruby-marcel/bullseye and I'd expect that ruby-marcel/unstable would need
> a versioned Breaks for reverse dependent packages (ruby-activestorage),
> but I'm not seeing that.

Did your experimenting (as discussed on IRC last week) yield anything?

Paul

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #69 received at 988214@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 989037@bugs.debian.org

Cc: Utkarsh Gupta <utkarsh@debian.org>, 988214@bugs.debian.org

Subject: Re: Bug#989037: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

Date: Sun, 4 Jul 2021 22:26:01 +0200

Hi Utkarsh,

On Fri, Jun 18, 2021 at 10:23:39PM +0200, Paul Gevers wrote:
> Hi Utkarsh
> 
> On 06-06-2021 06:14, Paul Gevers wrote:
> > I am hoping it's possible to just downgrade the *dependency* in rails
> > only, such that the upload can happen via unstable. There is no "direct
> > bullseye" route. Or do you expect you'll have to make (lots) of changes
> > to rails to match the right ruby-marcel package? If that's the case,
> > than ruby-marcel/unstable isn't a drop in replacement for
> > ruby-marcel/bullseye and I'd expect that ruby-marcel/unstable would need
> > a versioned Breaks for reverse dependent packages (ruby-activestorage),
> > but I'm not seeing that.
> 
> Did your experimenting (as discussed on IRC last week) yield anything?

Since the bullseye release is fastly approaching, do you have any news
on the above?

Regards,
Salvatore

Send a report that this bug log contains spam.