From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-3.0 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_HI, SPF_HELO_PASS,SPF_PASS,UNPARSEABLE_RELAY shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 Received: from nue.mailmanlists.eu (nue.mailmanlists.eu [IPv6:2a01:4f8:1c0c:6b10::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 2D20C1F601 for ; Sat, 3 Dec 2022 22:20:16 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.b="nFeNa9Zi"; dkim-atps=neutral Received: from nue.mailmanlists.eu (localhost [127.0.0.1]) by nue.mailmanlists.eu (Postfix) with ESMTP id E6C7E7E93A; Sat, 3 Dec 2022 22:20:09 +0000 (UTC) Authentication-Results: nue.mailmanlists.eu; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=nFeNa9Zi; dkim-atps=neutral Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by nue.mailmanlists.eu (Postfix) with ESMTPS id AA2CB7E91F for ; Sat, 3 Dec 2022 22:20:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ruby-lang.org; h=from:references:subject:mime-version:content-type: content-transfer-encoding:list-id:to:cc:content-type:from:subject:to; s=s1; bh=cCDSNYjp8ClDBZiknm2FoTTEkQHI0dgPzNruECjpVEs=; b=nFeNa9ZioC6XBeD8ND5L5XMxYSDDSpnyfdlaHUPNCvZytKUjiJ0C7fhU1pIL38uhbEKl D1nUZkdPtfal1gSsk4ENSY79vpmVPDI4SPJckQt7k4rZPpHHKiS/yAKh/J8fW+bsDkzfKJ 2saDUYGRp8oC3u5yM1uK8oUJuybak+8PchByQ1cgSVRhymLUh+M1aMA8GVIdUdGUVwAbpv RDBDhsrkyQYxv1J34hlsJA8qJvk7rugbW99bbNzjw8OgM3B2bErWRXr9wS1ZCS9lPSZZDR yyiSI4dFcTIb+l/mXthi9+k84XePUVLXsd8agot6cnzO452/hConzFJXRfFMfljQ== Received: by filterdrecv-69c5db5cf4-gdm76 with SMTP id filterdrecv-69c5db5cf4-gdm76-1-638BCB94-2 2022-12-03 22:20:04.129146371 +0000 UTC m=+1379519.275996915 Received: from herokuapp.com (unknown) by geopod-ismtpd-2-5 (SG) with ESMTP id LbcKFKSBRUGiEKOsT3HRcg for ; Sat, 03 Dec 2022 22:20:04.067 +0000 (UTC) Date: Sat, 03 Dec 2022 22:20:04 +0000 (UTC) From: "austin (Austin Ziegler)" Message-ID: References: Mime-Version: 1.0 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Misc X-Redmine-Issue-Id: 19178 X-Redmine-Issue-Author: Segaja X-Redmine-Sender: austin X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-Redmine-MailingListIntegration-Message-Ids: 87540 X-SG-EID: =?us-ascii?Q?DZv5R2lXppH4VDtnTbzozZvAfTMQDIuiqc52yQGUxibk2YmwbamuHVhEx30u+N?= =?us-ascii?Q?yD3jEB9fCp=2FPZaTvB2Tz7yxhGfc=2FN=2FzNr0P0mlD?= =?us-ascii?Q?A7179Ui5SC6jShgzLkLsHw3hfNM7eATqPEEuPPS?= =?us-ascii?Q?Xyo0OCroZaN2OX34L9Llbjtj7XD3T90rx2p2N09?= =?us-ascii?Q?eU5=2FXXoL2Pd+ZzTLmB8kWHOEMxOIbreOLmYQXlY?= =?us-ascii?Q?P=2F0pZLveiGVswiO=2FaWrC0wJPa3y2MHAdQOrkqLx?= =?us-ascii?Q?vkkRpeocCZ5iFPImbL8yA=3D=3D?= To: ruby-core@ml.ruby-lang.org X-Entity-ID: b/2+PoftWZ6GuOu3b0IycA== Message-ID-Hash: ST5QKETXQMBIGNZAJHEI4RKX6HTRQT3X X-Message-ID-Hash: ST5QKETXQMBIGNZAJHEI4RKX6HTRQT3X X-MailFrom: bounces+313651-b711-ruby-core=ml.ruby-lang.org@em5188.ruby-lang.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list Reply-To: Ruby developers Subject: [ruby-core:111188] [Ruby master Misc#19178] How does CRuby handle CVE issues in stdlib gems which get patched? List-Id: Ruby developers Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SXNzdWUgIzE5MTc4IGhhcyBiZWVuIHVwZGF0ZWQgYnkgYXVzdGluIChBdXN0aW4gWmllZ2xlciku DQ0KDQ0KDQ0KU2VnYWphIChBbmRyZWFzIFNjaGxlaWZlcikgd3JvdGUgaW4gI25vdGUtNDoNDQo+ IGF1c3RpbiAoQXVzdGluIFppZWdsZXIpIHdyb3RlIGluICNub3RlLTM6DQ0KPiA+ID4gIm1heSI/ IFRoaXMgc291bmRzIGxpa2Ugc29tZXRpbWVzIENWRXMgYXJlIG5vdCBjb25zaWRlcmVkICJpbXBv cnRhbnQiIGVub3VnaCBhbmQgZG8gbm90IHdhcnJhbnQgYSBuZXcgQ1J1YnkgcmVsZWFzZS4gT3Ig ZG8gSSBtaXN1bmRlcnN0YW5kIHRoaXM/DQ0KPiA+IA0NCj4gPiBTaW5jZSB0aGUgc3RkbGliIGdl bXMgYXJlIGFibGUgdG8gYmUgdXBncmFkZWQgaW5kZXBlbmRlbnRseSBvZiBSdWJ5LCB0aGUgbmVl ZCBmb3IgKmltbWVkaWF0ZSogQ1J1YnkgcmVsZWFzZXMgKG9yIG90aGVyIFJ1YnkgcmVsZWFzZSB2 ZXJzaW9ucykgaXMgcmVkdWNlZC4NDQo+IA0NCj4gSSB0aGluayB3ZSBoYXZlIGEgbmFtaW5nIGRp ZmZlcmVuY2UgaGVyZS4gSSdtIHRhbGtpbmcgYWJvdXQgdGhlICJkZWZhdWx0IGdlbXMiIGFzIGxp c3RlZCBvbiBodHRwczovL3N0ZGdlbXMub3JnLzMuMC40LyBmb3IgZXhhbXBsZSBmb3IgQ1J1Ynkg dmVyc2lvbiAzLjAuNC4gRnJvbSBhbGwgSSB1bmRlcnN0b29kIHRoZXNlICJkZWZhdWx0IGdlbXMi IGFyZSBzaGlwcGVkIHdpdGggdGhlIG1haW4gcnVieSB2ZXJzaW9uIGFuZCBjYW4gbm90IGJlIHVw ZGF0ZWQgaW5kZXBlbmRlbnRseS4gU28gbXkgcXVlc3Rpb24gaXMgaG93IENWRXMgaW4gdGhvc2Ug KGZvciBleGFtcGxlIHRoZSBganNvbmAgZGVmYXVsdCBnZW0pIHdpbGwgYmUgaGFuZGxlZC4NDQoN DQpObywgdGhleSBjYW4gYmUgdXBncmFkZWQgaW5kZXBlbmRlbnRseS4NDQoNDQpgYGBjb25zb2xl DQ0KJCBydWJ5IC1yanNvbiAtZSAncHV0cyAiSlNPTjogI3tKU09OOjpWRVJTSU9OfSInDQ0KSlNP TjogMi42LjENDQokIGdlbSBzZWFyY2ggJ15qc29uJCcNDQoqKiogUkVNT1RFIEdFTVMgKioqDQ0K DQ0KanNvbiAoMi42LjIgcnVieSBqYXZhLCAxLjEuNSB4ODYtbGludXgsIDEuMS4xIG1zd2luMzIp DQ0KJCBnZW0gaW5zdGFsbCBqc29uDQ0KRmV0Y2hpbmcganNvbi0yLjYuMi5nZW0NDQpCdWlsZGlu ZyBuYXRpdmUgZXh0ZW5zaW9ucy4gVGhpcyBjb3VsZCB0YWtlIGEgd2hpbGUuLi4NDQpTdWNjZXNz ZnVsbHkgaW5zdGFsbGVkIGpzb24tMi42LjINDQpQYXJzaW5nIGRvY3VtZW50YXRpb24gZm9yIGpz b24tMi42LjINDQpJbnN0YWxsaW5nIHJpIGRvY3VtZW50YXRpb24gZm9yIGpzb24tMi42LjINDQpE b25lIGluc3RhbGxpbmcgZG9jdW1lbnRhdGlvbiBmb3IganNvbiBhZnRlciAwIHNlY29uZHMNDQox IGdlbSBpbnN0YWxsZWQNDQokIHJ1YnkgLXJqc29uIC1lICdwdXRzICJKU09OOiAje0pTT046OlZF UlNJT059IicNDQpKU09OOiAyLjYuMg0NCmBgYA0NCg0NCknigJltIGN1cnJlbnRseSB1c2luZyBS dWJ5IDMuMS4NDQoNDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQ0K TWlzYyAjMTkxNzg6IEhvdyBkb2VzIENSdWJ5IGhhbmRsZSBDVkUgaXNzdWVzIGluIHN0ZGxpYiBn ZW1zIHdoaWNoIGdldCBwYXRjaGVkPw0NCmh0dHBzOi8vYnVncy5ydWJ5LWxhbmcub3JnL2lzc3Vl cy8xOTE3OCNjaGFuZ2UtMTAwNDcyDQ0KDQ0KKiBBdXRob3I6IFNlZ2FqYSAoQW5kcmVhcyBTY2hs ZWlmZXIpDQ0KKiBTdGF0dXM6IE9wZW4NDQoqIFByaW9yaXR5OiBOb3JtYWwNDQotLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQ0KSWYgdGhlcmUgaXMgYSBDVkUgaXNzdWUg aW4gb25lIG9mIHRoZSBzdGRsaWJzICggaHR0cHM6Ly9zdGRnZW1zLm9yZy8gKSB3aGljaCBnZXRz IHBhdGNoZWQsIHdoYXQgaXMgQ1J1YnlzIGFwcHJvYWNoIG9uIGhvdyB0byBwdXNoIHRoaXMgY3Jp dGljYWwgZml4IHRvIHRoZSB1c2Vycz8NDQoNDQpBcyBmYXIgYXMgSSBrbm93IHN0ZGxpYnMgZ2V0 IG9ubHkgdXBkYXRlZCBmb3IgdGhlIHVzZXJzIGlmIENSdWJ5IHJlbGVhc2VzIGEgbmV3IHZlcnNp b24uIFNvIHdpbGwgQ1J1YnkgYWx3YXlzIHJlbGVhc2UgYSBuZXcgdmVyc2lvbiBpZiB0aGVyZSBp cyBhIGNyaXRpY2FsIGZpeCBhbiBzdGRsaWIgIm5lZWRzIiB0byBiZSB1cGRhdGVkPw0NCg0NCg0N Cg0NCi0tIA0NCmh0dHBzOi8vYnVncy5ydWJ5LWxhbmcub3JnLw0NCiBfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCiBydWJ5LWNvcmUgbWFpbGluZyBsaXN0IC0t IHJ1YnktY29yZUBtbC5ydWJ5LWxhbmcub3JnCiBUbyB1bnN1YnNjcmliZSBzZW5kIGFuIGVtYWls IHRvIHJ1YnktY29yZS1sZWF2ZUBtbC5ydWJ5LWxhbmcub3JnCiBydWJ5LWNvcmUgaW5mbyAtLSBo dHRwczovL21sLnJ1YnktbGFuZy5vcmcvbWFpbG1hbjMvcG9zdG9yaXVzL2xpc3RzL3J1YnktY29y ZS5tbC5ydWJ5LWxhbmcub3JnLw==