[bug#77308] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]
| Message ID | 8961ac7dcfb2ca711c51ce4b45c2afeb54c202d6.1743079092.git.remco@remworks.net |
|---|---|
| State | New |
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
id 1A46C27BBEA; Thu, 27 Mar 2025 12:39:27 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level:
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,
RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no
version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
by mira.cbaines.net (Postfix) with ESMTPS id 7FBDB27BBE2
for <patchwork@mira.cbaines.net>; Thu, 27 Mar 2025 12:39:26 +0000 (GMT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <guix-patches-bounces@gnu.org>)
id 1txmVm-00026i-C0; Thu, 27 Mar 2025 08:39:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
id 1txmVj-00026Q-Rc
for guix-patches@gnu.org; Thu, 27 Mar 2025 08:39:03 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
id 1txmVj-0007jr-IB
for guix-patches@gnu.org; Thu, 27 Mar 2025 08:39:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=debbugs.gnu.org; s=debbugs-gnu-org;
h=MIME-Version:Date:From:To:Subject;
bh=p2S0s2BxQ2R/P5TBbRsh9co5hdG5bNMXE+m6uaK2qik=;
b=eKxI3geu/ZSvsvOXKPF+LCJWz3zQ0TVW9wSE6u269ChaArEpQk/wu/melVrYit2xM2QbQI/PvT7l8IGCY7EF+4tgWeWuTeEpGgvRmqMCTmsJVZP64y4CkCw9OZKlH6V35Q9V/T7VVd0jlXlrCtCGl2HRU9elUfxJHYxuuvk7R0bzQqrYNxmKBzcU8ndkxRGjIApBV95CfHBC+rKF+AIZmvkILNFkC0+ty1gqEW/MGr905hP01YPiSIfgiXt41uDc/N4/s5EKMnGlaCb7b22nBsxxDEUmhqzkTgfAAD4sdyxlnAz42Peb9rcLWh1wY0BX05rlmCUXOhYmMLBNdCJv0g==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
(envelope-from <Debian-debbugs@debbugs.gnu.org>)
id 1txmVi-0007Iw-OV; Thu, 27 Mar 2025 08:39:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#77308] [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes
CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]
Resent-From: Remco van 't Veer <remco@remworks.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix@cbaines.net, guix-patches@gnu.org
Resent-Date: Thu, 27 Mar 2025 12:39:02 +0000
Resent-Message-ID: <handler.77308.B.174307912427907@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 77308
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 77308@debbugs.gnu.org
Cc: Remco van 't Veer <remco@remworks.net>,
Christopher Baines <guix@cbaines.net>
X-Debbugs-Original-To: guix-patches@gnu.org
X-Debbugs-Original-Xcc: Christopher Baines <guix@cbaines.net>
Received: via spool by submit@debbugs.gnu.org id=B.174307912427907
(code B ref -1); Thu, 27 Mar 2025 12:39:02 +0000
Received: (at submit) by debbugs.gnu.org; 27 Mar 2025 12:38:44 +0000
Received: from localhost ([127.0.0.1]:48050 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
id 1txmVN-0007Fi-5a
for submit@debbugs.gnu.org; Thu, 27 Mar 2025 08:38:43 -0400
Received: from lists.gnu.org ([2001:470:142::17]:35856)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <rwv@fastmail.com>) id 1txmVJ-0007EC-Ua
for submit@debbugs.gnu.org; Thu, 27 Mar 2025 08:38:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <rwv@fastmail.com>) id 1txmVE-00023Z-0b
for guix-patches@gnu.org; Thu, 27 Mar 2025 08:38:32 -0400
Received: from fout-b5-smtp.messagingengine.com ([202.12.124.148])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <rwv@fastmail.com>) id 1txmVB-0007ht-7Y
for guix-patches@gnu.org; Thu, 27 Mar 2025 08:38:31 -0400
Received: from phl-compute-13.internal (phl-compute-13.phl.internal
[10.202.2.53])
by mailfout.stl.internal (Postfix) with ESMTP id 0192C114013D;
Thu, 27 Mar 2025 08:38:27 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
by phl-compute-13.internal (MEProxy); Thu, 27 Mar 2025 08:38:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h=
cc:cc:content-transfer-encoding:content-type:date:date:from:from
:in-reply-to:message-id:mime-version:reply-to:subject:subject:to
:to; s=fm1; t=1743079107; x=1743165507; bh=p2S0s2BxQ2R/P5TBbRsh9
co5hdG5bNMXE+m6uaK2qik=; b=R94hrapEhEQ/K/RjzbLaXcdPCDIlWdkwL7+jm
nhAco1e2tLE9lQuD7xlTcLRJ9bPLooukU21SOhC2rgsyLeCOCos2vn9zL9m69Mzf
u5vAPY/Lcwf6lLZV4uA5zkPv6euXjTsLFQE/H8k0/+yCNB0KTGtgvdozR13J6fpf
Lt68XUx4q94+hRzO0taUotfR4g+nHn8RSWqtbVfmue1RXEuz/m+2odZZngjp+xFT
PdirSbKmAVl8Dk8Kym1XUi+APEf+Ds+rtx1lqnCGcsWawO0uzfN1hezyNLmdLqKz
+FWBSGNO6SpxPbWDUxCfVAq46ji8NCznKqXegH0svhsp4u6FA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:cc:content-transfer-encoding
:content-type:date:date:feedback-id:feedback-id:from:from
:in-reply-to:message-id:mime-version:reply-to:subject:subject:to
:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=
1743079107; x=1743165507; bh=p2S0s2BxQ2R/P5TBbRsh9co5hdG5bNMXE+m
6uaK2qik=; b=pRM7O17mKC2IWFIi+Vbdr4QtIQI3TpO2Mb7EZch16Xb0/D+gvSQ
o9z/Z7AyOZMTeifmBFfv4g3zIzxjdQ4AG8HDZxgagbsGeaNKzipYL+WZxuXhuCQf
UnKJMuna+qTPKGF8kOZ0l/9z6PCJQnMYSAMqBVBrX+JN4Fm8unnun1ftfnYaX5Yp
eoBobV8uxhaD1J2309Z0vPTBj3fI53FcL+FKBCvI4AXS9kv9NCvsPAtHJ/Q7jJxt
FdQmT2pjFtyLiMydEsqDqStch5Bj7WgYevx+r8F7hhK6HVf9tsnMkPbpDHuNYYHa
YZ7zOaXdtn3HBymzpL4Wy0V5nw23zMtkvIg==
X-ME-Sender: <xms:w0blZ7uhYwRO8kOdUWygOVVspwhbbUzJXr37O3d9YItJwnY0Xl8ejw>
<xme:w0blZ8f6E-ytcakudEET00wxTA9UfG6AjcACDdq_9aympw4J5rtvFhoAf6THT-DJE
XtZTdgTCiLBS_zN0Q>
X-ME-Received:
<xmr:w0blZ-zopDBsxKBRkxWfoTMxfX0zouOKVM7eAzrNCbh0Cy7BkgKyQlg3GzxenO8KmZe9aK-wEJ5QKrWVudrS8bIe9xufGg>
X-ME-Proxy-Cause:
gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekgeefucetufdoteggodetrf
dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf
evufffkffoggfgsedtkeertdertddtnecuhfhrohhmpeftvghmtghouchvrghnucdkthcu
gggvvghruceorhgvmhgtohesrhgvmhifohhrkhhsrdhnvghtqeenucggtffrrghtthgvrh
hnpeegueeggfdtheffhedtieejuddugffgtddvueeftedtuefhtdffjeelgeefvdetieen
ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehrfihvse
hfrghsthhmrghilhdrtghomhdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphho
uhhtpdhrtghpthhtohepghhuihigqdhprghttghhvghssehgnhhurdhorhhgpdhrtghpth
htoheprhgvmhgtohesrhgvmhifohhrkhhsrdhnvght
X-ME-Proxy: <xmx:w0blZ6Og7oWHQjFLTewEfx44jH-phzhKTqF-FFth8gD4EKauDEIrGQ>
<xmx:w0blZ7-bdBfFI1Qj5UvVFNOHshtGiSkaX6fCutgIvAAHcATsJ2IMjg>
<xmx:w0blZ6WGjneHEUocG9YNzHWxizSxWiYac5ttKasq6ASIr4cqf3W-oA>
<xmx:w0blZ8cjYZ2jozL6viJySIJr_RczFgykEVtPFkxqwdxJ6Y9GWcj_iA>
<xmx:w0blZ9LBKVPSUdDQsQHneFmNrwJXVmC1lhH0OAWfYdXnCJu0nQaq5ONA>
Feedback-ID: if0694934:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
27 Mar 2025 08:38:26 -0400 (EDT)
From: Remco van 't Veer <remco@remworks.net>
Date: Thu, 27 Mar 2025 13:38:12 +0100
Message-ID:
<8961ac7dcfb2ca711c51ce4b45c2afeb54c202d6.1743079092.git.remco@remworks.net>
X-Mailer: git-send-email 2.49.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=202.12.124.148; envelope-from=rwv@fastmail.com;
helo=fout-b5-smtp.messagingengine.com
X-Spam_score_int: -25
X-Spam_score: -2.6
X-Spam_bar: --
X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001,
FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.083,
RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches
|
| Series |
[bug#77308] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]
|
|
Commit Message
Remco van 't Veer
March 27, 2025, 12:38 p.m. UTC
Fixes: CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex search), CVE-2024-39908 (DoS in REXML), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse), CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+). * gnu/packages/ruby.scm (ruby-3.2): Upgrade to 3.2.8 Change-Id: I4938434cd15650796fe020650a452a876daa5aeb --- gnu/packages/ruby.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2
Comments
This should be applied in the ruby-team branch. I checked that it applies correctly (the other one too).
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 24407fbd58..a5951753f4 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -263,7 +263,7 @@ (define-public ruby-3.1 (define-public ruby-3.2 (package (inherit ruby-3.1) - (version "3.2.3") + (version "3.2.8") (source (origin (method url-fetch) @@ -272,7 +272,7 @@ (define-public ruby-3.2 "/ruby-" version ".tar.xz")) (sha256 (base32 - "0ss7pb7f62sakq5ywpw3dl0v586cl61cd91qlm1i094c9fak3cng")))) + "0g3s68kcxb24y4h24wvikvk5v3q6l6hs0kjxms9m49sm048d7k0w")))) (inputs (modify-inputs (package-inputs ruby-3.1) (prepend libyaml)))))