| Message ID | 20220629155555.5478-1-remco@remworks.net |
|---|---|
| State | New |
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 0450427BBEA; Wed, 29 Jun 2022 16:57:39 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 721AF27BBE9 for <patchwork@mira.cbaines.net>; Wed, 29 Jun 2022 16:57:38 +0100 (BST) Received: from localhost ([::1]:53428 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>) id 1o6a4P-0000Qe-K5 for patchwork@mira.cbaines.net; Wed, 29 Jun 2022 11:57:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37962) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1o6a3q-0008Ul-Ek for guix-patches@gnu.org; Wed, 29 Jun 2022 11:57:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:37825) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1o6a3q-0004on-6b for guix-patches@gnu.org; Wed, 29 Jun 2022 11:57:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1o6a3q-0007L9-6N for guix-patches@gnu.org; Wed, 29 Jun 2022 11:57:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#56303] [PATCH] gnu: ruby: Update to 3.0.4 [security fixes]. Resent-From: Remco van 't Veer <remco@remworks.net> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 29 Jun 2022 15:57:02 +0000 Resent-Message-ID: <handler.56303.B.165651818328147@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 56303 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 56303@debbugs.gnu.org Cc: Remco van 't Veer <remco@remworks.net> X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165651818328147 (code B ref -1); Wed, 29 Jun 2022 15:57:02 +0000 Received: (at submit) by debbugs.gnu.org; 29 Jun 2022 15:56:23 +0000 Received: from localhost ([127.0.0.1]:59950 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1o6a35-0007Jm-LR for submit@debbugs.gnu.org; Wed, 29 Jun 2022 11:56:23 -0400 Received: from lists.gnu.org ([209.51.188.17]:58584) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rwv@fastmail.com>) id 1o6a2w-0007JV-HV for submit@debbugs.gnu.org; Wed, 29 Jun 2022 11:56:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37698) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <rwv@fastmail.com>) id 1o6a2w-0007Ft-8B for guix-patches@gnu.org; Wed, 29 Jun 2022 11:56:06 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:37035) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <rwv@fastmail.com>) id 1o6a2r-0004WB-Io for guix-patches@gnu.org; Wed, 29 Jun 2022 11:56:05 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 921F3320091A; Wed, 29 Jun 2022 11:55:58 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Wed, 29 Jun 2022 11:55:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to; s=fm1; t=1656518158; x=1656604558; bh=bwABqcmy+o DSco8Ax7Ai/qFCaUn9BrtLR/0YZ3f0wz8=; b=gnsNVIQXRs6hOiPvcpBOgfuwX5 haXUy3MkRJs3U5WmxrzsGsvbvqJanbaQqtlHB813TXHlSoD0ppBTTtDikeuds9JP kUutdS7oLTppI5PRwRrWZIu1heuEa0VC/TGnWRCM6CcOVByccCR0yrqoEJeLIPcy qs5vg1ZCUMQ/jsou+JRt4z345vhYC+bgfttdI9c/xp0naEnpvMGq1q8Uk2Vifpx1 LLySFDONCVRfKcfpGrTB5f2EpeyzkocDqXK1yiHGYwrEyOhNLfnkt9tvABxMdCi+ 40kavJVv7wXhYUOsCFpHEx0kI1XvsFS89/WCE2MEIZy2Yt5F0JCPjS1XWHug== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1656518158; x=1656604558; bh=bwABqcmy+oDSc o8Ax7Ai/qFCaUn9BrtLR/0YZ3f0wz8=; b=jUeOpGo7VnpwjZvJSdQ0aAEBEVqhI QKuN+3ULuhvikS++U+i+VDpJfmeeaLjWnssHLPfoCX5e/DUHOc44/ma/xOvwCzvN nhjdJQ2hTqkBQY568fRAbo0W4wVwF/h2SBRjFR4WUxUOfWmcnSA6QqCZR1TnPINa SwNo8xMjmbOKWfe1eJQyoQlgzZB1dng/+QXRMceMDwyACuHrWM24fbE0UTemFJAM bafqAzkAdyAnHvkt7TkZZFiXwuJ+WWz30E+S9mzK9MDTLAOyJ+ZJQ3SAvLipNV17 QDNqcnYLTjVY6Wm58GunKKbjjgAyLaV9PdGN11ebVf3JIVtjSWXLI9Xcg== X-ME-Sender: <xms:DXa8Yvj22qHJTHcPM0KdSA-uyaKf8vUo0VuU8KaZEPmFvVwzDoIh1g> <xme:DXa8YsATtKgwBgFeLaFxuVbd-1kgDbywbYm5fT9DDrFYHB9oKajlw56fVD3AFd1Ij krfgmZ5iO9mxqLJiQ> X-ME-Received: <xmr:DXa8YvFAy0ptLcGyAsaNN_LufCVone9Z3Yv81qyrPsiKT2lVsAp7YGSb9WchmPfWBnL_DgwunoYpN73AOwsDagGskqpOuA> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudegledgleegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffkffogggtgfesthekre dtredtjeenucfhrhhomheptfgvmhgtohcuvhgrnhcukdhtucggvggvrhcuoehrvghmtgho sehrvghmfihorhhkshdrnhgvtheqnecuggftrfgrthhtvghrnhephffgiefgtdduuedtke ehudejgeejtdekjeefjefggeeghfeuffdtieevgeegledvnecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomheprhifvhesfhgrshhtmhgrihhlrdgtoh hm X-ME-Proxy: <xmx:DXa8YsSY8pUIxlRyXZGgNjx5bcFP5AdIT3oC1C7cvoH_UsXmNaAJ2g> <xmx:DXa8YsznftY4eQNOAZu8UtQw-TUtiX-ixapgf6Np6cuFzp-ZNzYKSg> <xmx:DXa8Yi6WQHGYmQlO77xHnrdn0FG92xF2MNN_4RDgs1T_CUvyZWE_9A> <xmx:Dna8YiYrqxuyD3hSp0QRp42WUpaGAFkvt1O1-tBLbZkahwi7VGKYLA> Feedback-ID: i568842cc:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 29 Jun 2022 11:55:57 -0400 (EDT) From: Remco van 't Veer <remco@remworks.net> Date: Wed, 29 Jun 2022 17:55:55 +0200 Message-Id: <20220629155555.5478-1-remco@remworks.net> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=64.147.123.20; envelope-from=rwv@fastmail.com; helo=wout4-smtp.messagingengine.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-getmail-retrieved-from-mailbox: Patches |
| Series |
[bug#56303] gnu: ruby: Update to 3.0.4 [security fixes].
|
|
Commit Message
Remco van 't Veer
June 29, 2022, 3:55 p.m. UTC
Includes fixes for: CVE-2022-28738, CVE-2022-28739, CVE-2021-41819, CVE-2021-41816, and CVE-2021-41817. * gnu/packages/ruby.scm (ruby-3.0): Update to 3.0.4. --- gnu/packages/ruby.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
Comments
Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]: > (define-public ruby-3.0 > (package > (inherit ruby-2.7) > - (version "3.0.2") > + (version "3.0.4") > (source > (origin > (method url-fetch) > @@ -198,7 +199,7 @@ (define-public ruby-3.0 > "/ruby-" version ".tar.xz")) > (sha256 > (base32 > - "0h2w2ms4gx2s96v3lzdr3add94bd2qqkhdjzaycmaqhg21rpf3jp")))))) > + "1w7jpq3flnm007z5kj8kixgm8l4smb80w8ak4993a12j0irzq8lf")))))) Hash matches what I get locally (without fallbacks). The download matches the hashes at <https://www.ruby-lang.org/en/news/2022/04/12/ruby-3-0-4-released/>. Next step: compare diff ...
Maxime Devos schreef op do 30-06-2022 om 12:07 [+0200]: > Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]: > > (define-public ruby-3.0 > > (package > > (inherit ruby-2.7) > > - (version "3.0.2") > > + (version "3.0.4") > > (source > > (origin > > (method url-fetch) > > @@ -198,7 +199,7 @@ (define-public ruby-3.0 > > "/ruby-" version ".tar.xz")) > > (sha256 > > (base32 > > - > "0h2w2ms4gx2s96v3lzdr3add94bd2qqkhdjzaycmaqhg21rpf3jp")))))) > > + > "1w7jpq3flnm007z5kj8kixgm8l4smb80w8ak4993a12j0irzq8lf")))))) > > Hash matches what I get locally (without fallbacks). > The download matches the hashes at > <https://www.ruby-lang.org/en/news/2022/04/12/ruby-3-0-4-released/>. > > Next step: compare diff ... Aside from some old bundling & generated file issues (for which I've made another (non-blocking) bug report), diff didn't seem ‘suspicious’ while scrolling through it, though it would be rather easy to hide something there. So assuming it builds, I don't expect problems with this update. (Also, it doesn't have any dependents.) Greetings, Maxime.
Remco van 't Veer <remco@remworks.net> skriver: > Includes fixes for: CVE-2022-28738, CVE-2022-28739, CVE-2021-41819, > CVE-2021-41816, and CVE-2021-41817. > > * gnu/packages/ruby.scm (ruby-3.0): Update to 3.0.4. Applied, thanks!
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 68e5d8dfd6..41774b4907 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -28,6 +28,7 @@ ;;; Copyright © 2021 EuAndreh <eu@euandre.org> ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin@mailbox.org> ;;; Copyright © 2021 Giovanni Biscuolo <g@xelera.eu> +;;; Copyright © 2022 Remco van 't Veer <remco@remworks.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -189,7 +190,7 @@ (define-public ruby-2.7 (define-public ruby-3.0 (package (inherit ruby-2.7) - (version "3.0.2") + (version "3.0.4") (source (origin (method url-fetch) @@ -198,7 +199,7 @@ (define-public ruby-3.0 "/ruby-" version ".tar.xz")) (sha256 (base32 - "0h2w2ms4gx2s96v3lzdr3add94bd2qqkhdjzaycmaqhg21rpf3jp")))))) + "1w7jpq3flnm007z5kj8kixgm8l4smb80w8ak4993a12j0irzq8lf")))))) (define-public ruby-3.1 (package