From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 27 06:01:39 2025 Received: (at submit) by debbugs.gnu.org; 27 Mar 2025 10:01:40 +0000 Received: from localhost ([127.0.0.1]:47623 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txk3J-0000Gq-AD for submit@debbugs.gnu.org; Thu, 27 Mar 2025 06:01:39 -0400 Received: from lists.gnu.org ([2001:470:142::17]:44566) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txk3G-0000Ez-1B for submit@debbugs.gnu.org; Thu, 27 Mar 2025 06:01:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txk33-00026h-6K for guix-patches@gnu.org; Thu, 27 Mar 2025 06:01:19 -0400 Received: from fhigh-b4-smtp.messagingengine.com ([202.12.124.155]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txk2y-00033P-PD for guix-patches@gnu.org; Thu, 27 Mar 2025 06:01:16 -0400 Received: from phl-compute-10.internal (phl-compute-10.phl.internal [10.202.2.50]) by mailfhigh.stl.internal (Postfix) with ESMTP id 287C72540064; Thu, 27 Mar 2025 06:01:08 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-10.internal (MEProxy); Thu, 27 Mar 2025 06:01:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:message-id:mime-version:reply-to :subject:subject:to:to; s=fm1; t=1743069668; x=1743156068; bh=+R b54PqEQKPoD1Rb8pGEEf3yKQXpspOiuPXLBRC9JGY=; b=nCAYn7ZmRzLekn942V lobmteLKECYQZAaKS/zoPQWca5NBaZPtM1zEkElbwQdlOBS7C/uYeXi9ziSMQ1/K 3nmNZ5ZmwWAqOJBfD1JxkVSfZocXyQ99sNqNK07l4Nb1LKHisJEC7olFDutvVF7C 8AGvCs2jw9VcmljYfkGEHhnplctr16+I3y5qAxsaXETVcr1hQQ1v+r4moEgaNnli m6rdCWR3dIrx+J+u7MlL1zq6mAcIeA8TlMj95B+ZYQoA/o1bhrXf2YNgd6doP1Ew KS5DhanTAg4LyryRBSvErEMe+vKdRnI+akTdBa9nnaivobjrThbTUnNZicbVNtUW l+Yg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1743069668; x=1743156068; bh=+Rb54PqEQKPoD1Rb8pGEEf3yKQXp spOiuPXLBRC9JGY=; b=J3dWvaNw5oOLh+I6dB+E8nJQhm/U82ZejeIp7Vrg37Z1 JwhQjCNCjR8/2vkQ/VGOhbHiugd02HjV3XOwMfmqVjGP/nElQpZzk0ixXie72JHp e0N0jYgIVr+nzkbhrgQU+M9FXtjYf9rzCLpre7/sLPlRB5RjCdBjWxLeItb1GPlO jM+UboMk4mvOpsCKznnZiNfEldPxLpi4LKJ/8tfnkKLF4a0jacn3pPr0qddiWM6u I7M+7iLm2m5xDelMjc013gmrJaJBtchxSXk6Lm5q3bYw8XtZbr07SsRSzdLLD2jx ZZGFZqzB/EYRF1jnnIHtYpBXEGE/tnUGVzGTLNr7WQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekuddvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf evufffkffogggtgfesthekredtredtjeenucfhrhhomheptfgvmhgtohcuvhgrnhcukdht ucggvggvrhcuoehrvghmtghosehrvghmfihorhhkshdrnhgvtheqnecuggftrfgrthhtvg hrnhepfeffheduteegtdfhfeeugfevleffgfeiffekfeevfeffgeevjeekffekgfduledt necuffhomhgrihhnpehruhgshidqlhgrnhhgrdhorhhgnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomheprhifvhesfhgrshhtmhgrihhlrdgtohhm pdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehguh higidqphgrthgthhgvshesghhnuhdrohhrghdprhgtphhtthhopehrvghmtghosehrvghm fihorhhkshdrnhgvth X-ME-Proxy: Feedback-ID: if0694934:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 27 Mar 2025 06:01:07 -0400 (EDT) From: Remco van 't Veer To: guix-patches@gnu.org Subject: [PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}] Date: Thu, 27 Mar 2025 11:00:24 +0100 Message-ID: <70a1ad58571735f1a15ce39ea6e400b3016ddc11.1743069624.git.remco@remworks.net> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-Debbugs-Cc: Christopher Baines Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=202.12.124.155; envelope-from=rwv@fastmail.com; helo=fhigh-b4-smtp.messagingengine.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.007, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 3.0 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO), CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex [...] Content analysis details: (3.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (rwv[at]fastmail.com) 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: gorski.stream (stream)] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org] 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different 0.0 SPOOFED_FREEMAIL No description available. X-Debbugs-Envelope-To: submit Cc: Remco van 't Veer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO), CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex [...] Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (rwv[at]fastmail.com) 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: gorski.stream (stream)] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO), CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse) CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+). * gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7. * gnu/packages/ruby.scm (ruby-3.1.7): Add package. Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae --- gnu/packages/ruby.scm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 24407fbd58..875a1b9a10 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -29,7 +29,7 @@ ;;; Copyright © 2020 Tomás Ortín Fernández ;;; Copyright © 2021 Giovanni Biscuolo ;;; Copyright © 2022 Philip McGrath -;;; Copyright © 2022-2024 Remco van 't Veer +;;; Copyright © 2022-2025 Remco van 't Veer ;;; Copyright © 2022 Taiju HIGASHI ;;; Copyright © 2023 Yovan Naumovski ;;; Copyright © 2023, 2024 gemmaro @@ -250,6 +250,7 @@ (define-public ruby-3.1 (package (inherit ruby-3.0) (version "3.1.4") + (replacement ruby-3.1.7) (source (origin (method url-fetch) @@ -260,6 +261,22 @@ (define-public ruby-3.1 (base32 "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v")))))) ++;;; TODO: This newer version resolves serveral CVEs. Remove ++;;; after ungrafting ruby. +(define ruby-3.1.7 + (package + (inherit ruby-3.1) + (version "3.1.7") + (source + (origin + (method url-fetch) + (uri (string-append "http://cache.ruby-lang.org/pub/ruby/" + (version-major+minor version) + "/ruby-" version ".tar.xz")) + (sha256 + (base32 + "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5")))))) + (define-public ruby-3.2 (package (inherit ruby-3.1) base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2 -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 27 06:25:52 2025 Received: (at 77304) by debbugs.gnu.org; 27 Mar 2025 10:25:52 +0000 Received: from localhost ([127.0.0.1]:47669 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txkQq-0004NO-7t for submit@debbugs.gnu.org; Thu, 27 Mar 2025 06:25:52 -0400 Received: from fhigh-b4-smtp.messagingengine.com ([202.12.124.155]:34861) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txkQj-0004LL-Tv for 77304@debbugs.gnu.org; Thu, 27 Mar 2025 06:25:50 -0400 Received: from phl-compute-10.internal (phl-compute-10.phl.internal [10.202.2.50]) by mailfhigh.stl.internal (Postfix) with ESMTP id 013D7254015E; Thu, 27 Mar 2025 06:25:39 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-10.internal (MEProxy); Thu, 27 Mar 2025 06:25:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:message-id:mime-version:reply-to :subject:subject:to:to; s=fm1; t=1743071139; x=1743157539; bh=42 qryYkn/XCDGPd5T2uZRgARR1x6h9K8kP6DRPRJR/E=; b=Y5bBCgZGbY95wohi9x VT+sBES03wDB1xNeFQ1HM5HPgQqIt9As5BxJnX0xSgMfp+SOxyo6+PhBHu8oVVbJ OTQx01QC0lGjyEwpNidN1IOwXUULSoEQg6LHYj3Uvs8Tau6gUd4QeINW2pv0e04x HbXrB8KScMNx6X58pdXtQvINzJ6v6phOFimh/geVVu9opnU7IyIWUtzAYmkib9Sp a+NYuXGKV6E0HStF1L6qw2TiiO+4oelsFQYDLTBn44CmKylfzC4XxFzjbsx8yfbF +w2F2KkTal/iSTrCCsggZsDCjsyapX8/d0CjdGPgjGN6IDRXqJPDZaAUCofKLZVn yeEQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1743071139; x=1743157539; bh=42qryYkn/XCDGPd5T2uZRgARR1x6 h9K8kP6DRPRJR/E=; b=NGOKHSA1/9VEbthxeInz3KbrItH/N/Kq9XlE0/2XrDtm 3dFS2Gvg+Be1czatc46UbVYThqM0yH3k61baWuJxhStSuw0KWCTHpZzVCkA+UmNe g5dzIgpG7R5Dvibwx+m1E+ZeUif2lu2G1FwP0smVZOQcgsVyWtlrLToR8hPbRWRb EUZtQGaHuK1AzNBOCQt5rPb6ja7JDiJ9EPQBQ6YhwspjY2DGeSAg9JcHoGkrCSmw 2rxSMnHEQ4lEpXalKAGE449a9GKQ3jnpvCq6gBfjkqPytk6bFES39aJ6NLH59qtb itb2nhzXou0btgTzHRm8QqVNhF4FZ+Akah9RfTYJSw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekudeiucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf evufffkffogggtgfesthekredtredtjeenucfhrhhomheptfgvmhgtohcuvhgrnhcukdht ucggvggvrhcuoehrvghmtghosehrvghmfihorhhkshdrnhgvtheqnecuggftrfgrthhtvg hrnhepfeffheduteegtdfhfeeugfevleffgfeiffekfeevfeffgeevjeekffekgfduledt necuffhomhgrihhnpehruhgshidqlhgrnhhgrdhorhhgnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomheprhifvhesfhgrshhtmhgrihhlrdgtohhm pdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeejje eftdegseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheprhgvmhgtohesrhgv mhifohhrkhhsrdhnvght X-ME-Proxy: Feedback-ID: if0694934:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 27 Mar 2025 06:25:38 -0400 (EDT) From: Remco van 't Veer To: 77304@debbugs.gnu.org Subject: [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}] Date: Thu, 27 Mar 2025 11:25:00 +0100 Message-ID: <0498bc510e98e7ff589d297aa6ef0d3e0fc04711.1743071100.git.remco@remworks.net> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-Debbugs-Cc: Christopher Baines Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO), CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [202.12.124.155 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [202.12.124.155 listed in bl.score.senderscore.com] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [202.12.124.155 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (rwv[at]fastmail.com) 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: gorski.stream (stream)] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different X-Debbugs-Envelope-To: 77304 Cc: Remco van 't Veer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO), CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse) CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+). * gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7. * gnu/packages/ruby.scm (ruby-3.1.7): Add package. Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae --- Changes in this v2: * improve commit subject. gnu/packages/ruby.scm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 24407fbd58..875a1b9a10 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -29,7 +29,7 @@ ;;; Copyright © 2020 Tomás Ortín Fernández ;;; Copyright © 2021 Giovanni Biscuolo ;;; Copyright © 2022 Philip McGrath -;;; Copyright © 2022-2024 Remco van 't Veer +;;; Copyright © 2022-2025 Remco van 't Veer ;;; Copyright © 2022 Taiju HIGASHI ;;; Copyright © 2023 Yovan Naumovski ;;; Copyright © 2023, 2024 gemmaro @@ -250,6 +250,7 @@ (define-public ruby-3.1 (package (inherit ruby-3.0) (version "3.1.4") + (replacement ruby-3.1.7) (source (origin (method url-fetch) @@ -260,6 +261,22 @@ (define-public ruby-3.1 (base32 "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v")))))) ++;;; TODO: This newer version resolves serveral CVEs. Remove ++;;; after ungrafting ruby. +(define ruby-3.1.7 + (package + (inherit ruby-3.1) + (version "3.1.7") + (source + (origin + (method url-fetch) + (uri (string-append "http://cache.ruby-lang.org/pub/ruby/" + (version-major+minor version) + "/ruby-" version ".tar.xz")) + (sha256 + (base32 + "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5")))))) + (define-public ruby-3.2 (package (inherit ruby-3.1) base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2 -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 27 09:05:00 2025 Received: (at 77304) by debbugs.gnu.org; 27 Mar 2025 13:05:00 +0000 Received: from localhost ([127.0.0.1]:48144 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txmup-000379-CW for submit@debbugs.gnu.org; Thu, 27 Mar 2025 09:05:00 -0400 Received: from 7.mo563.mail-out.ovh.net ([46.105.59.58]:59131) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txmuk-00036E-1N for 77304@debbugs.gnu.org; Thu, 27 Mar 2025 09:04:56 -0400 Received: from director4.derp.mail-out.ovh.net (director4.derp.mail-out.ovh.net [79.137.60.37]) by mo563.mail-out.ovh.net (Postfix) with ESMTPS id 4ZNkQV2b5dz1cv4; Thu, 27 Mar 2025 13:04:50 +0000 (UTC) Received: from director4.derp.mail-out.ovh.net (director4.derp.mail-out.ovh.net. [127.0.0.1]) by director4.derp.mail-out.ovh.net (inspect_sender_mail_agent) with SMTP for ; Thu, 27 Mar 2025 13:04:50 +0000 (UTC) Received: from mta6.priv.ovhmail-u1.ea.mail.ovh.net (unknown [10.110.96.15]) by director4.derp.mail-out.ovh.net (Postfix) with ESMTPS id 4ZNkQV1kzHzyBQ; Thu, 27 Mar 2025 13:04:50 +0000 (UTC) Received: from ngraves.fr (unknown [10.1.6.0]) by mta6.priv.ovhmail-u1.ea.mail.ovh.net (Postfix) with ESMTPSA id 6F486D43CFF; Thu, 27 Mar 2025 13:04:49 +0000 (UTC) Authentication-Results: garm.ovh; auth=pass (GARM-108S002d2b4f100-9383-4b35-8909-59cc061c9b90, FF6789543678BDA5F4AE6323C2F62FAAD9213E50) smtp.auth=ngraves@ngraves.fr X-OVh-ClientIp: 80.215.201.76 From: Nicolas Graves To: Remco van 't Veer , 77304@debbugs.gnu.org Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}] In-Reply-To: <0498bc510e98e7ff589d297aa6ef0d3e0fc04711.1743071100.git.remco@remworks.net> References: <70a1ad58571735f1a15ce39ea6e400b3016ddc11.1743069624.git.remco@remworks.net> <0498bc510e98e7ff589d297aa6ef0d3e0fc04711.1743071100.git.remco@remworks.net> Date: Thu, 27 Mar 2025 14:04:48 +0100 Message-ID: <87ecyid3pr.fsf@ngraves.fr> MIME-Version: 1.0 Content-Type: text/plain X-Ovh-Tracer-Id: 5544494094962254591 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekgeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefujghffffkgggtsehttdertddttddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepveekleeujedthefgffekleekhffhffetgfdvheekleeuhfehueeljedtjefhvdfgnecukfhppeduvdejrddtrddtrddupdektddrvdduhedrvddtuddrjeeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepfedprhgtphhtthhopehguhhigiestggsrghinhgvshdrnhgvthdprhgtphhtthhopeejjeeftdegseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheprhgvmhgtohesrhgvmhifohhrkhhsrdhnvghtpdfovfetjfhoshhtpehmohehieefmgdpmhhouggvpehsmhhtphhouhht DKIM-Signature: a=rsa-sha256; bh=evxhEuwOOHRkMB4/f7ovnU6feGOo5SHnbjlroEbR+rY=; c=relaxed/relaxed; d=ngraves.fr; h=From; s=ovhmo4487190-selector1; t=1743080690; v=1; b=osH4zQFqqsHeGHEoMybn7C4scecRirXi4oFCeMSWnKJv/MoWgHzVMJEmj3AHU9VXjemqwFuR lsMYX0gkPmO1WencS2cZcMo/q4/cm+wAUc7sU4uN0aq5tJfm577i7yRU66KoMocSwG7t8O5kdS4 C6CG/g0CyC6DpY7VeL4H8Es6bGm0AtTvR0CBcKy2OuRMDH94zx+rt92gvwT2JBJvdl7z6C7OfVI xIJgDgBeacaaTsx6fOzQLEyrj4x8ARSvecAG+OB6S8naLDU+Lnnm222hJWxBgMdC/mHF7o2mfs3 7jhGVZ27Bz8pnkt3FIiwfguey2OCt8qX2/r+VR7D4sOuw== X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77304 Cc: Christopher Baines , Remco van 't Veer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This should be applied on the ruby-team branch. -- Best regards, Nicolas Graves From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 27 09:08:16 2025 Received: (at 77304) by debbugs.gnu.org; 27 Mar 2025 13:08:16 +0000 Received: from localhost ([127.0.0.1]:48166 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txmxz-0003gq-1n for submit@debbugs.gnu.org; Thu, 27 Mar 2025 09:08:15 -0400 Received: from fout-b6-smtp.messagingengine.com ([202.12.124.149]:37325) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txmxv-0003ft-F5 for 77304@debbugs.gnu.org; Thu, 27 Mar 2025 09:08:12 -0400 Received: from phl-compute-07.internal (phl-compute-07.phl.internal [10.202.2.47]) by mailfout.stl.internal (Postfix) with ESMTP id 9B9C31140151; Thu, 27 Mar 2025 09:08:05 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-07.internal (MEProxy); Thu, 27 Mar 2025 09:08:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1743080885; x=1743167285; bh=gtDVb/CJcN 2pfTkvjiLoRZUyClN1IUvn4y1ua9ol6fA=; b=ZcA7hOKJ3LZ3dAgXDgbCSy+pqU cS846w6WtxjuETiuLjfTgVS+BaXBKef54NELXVBzSfCX0rvsHZpwTKKQsWCisSUJ b+SKsuFtUO/VbpVRN+AJumJkIES0TpRUZVQYf8udCwEDpeZy4G9YxQbe/nVXB773 EeTY1u5MIzdycAx2pdhIlXroRxddxezWqQdCkNrxfUEWPEmtBEBf9zdA0VEZUOkw A4PFA+xndq4eAHIiWXSbUvlsHYLDCKDoLPU36q/swlsQWiy2+6h5IjEjr+jyT/cX uJEgV4YeWTqlPw5Gvhsb8HxlLSvh8m6C1TLNsmuAi70YCONwYpXMTHphJc+Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1743080885; x=1743167285; bh=gtDVb/CJcN2pfTkvjiLoRZUyClN1IUvn4y1 ua9ol6fA=; b=VGBx+lgKzug1f04muNKToFrUesboaVugZp7yH9k+aL9uQJTXoot i7BXoW0bFCMcm2ocATyjY/wEpYzb5Y4jG6JFWy8Tku20FxNn/dCQGCmBE5XmoBYW YHthPnaRsn9cAQPHisQtW+74HacxyVNiMJkDuPbk7Dq0q0RxEKVgJ+2kTCRAHnWb aYSgoASaE+OCqZtVY6CHzHnu2ZD0wKXz3BN7n8KcizmrGYVLMwSOMM0LmyfI864/ EzOO/HVJomw9FVAGUt3lzoomt5h08/dMhd8X8Qnb6voIbWqqM5yJmlwHbXYNLS8d xatxUa1NOub8qgJQd2wKh8GxRdlK37BshRw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekgeelucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhephffvvefujghffgffkfggtgesthdtredttder tdenucfhrhhomheptfgvmhgtohcuvhgrnhcukdhtucggvggvrhcuoehrvghmtghosehrvg hmfihorhhkshdrnhgvtheqnecuggftrfgrthhtvghrnhepveevgfeujedttdelhfevgfeg heffjedvjeeltdeiueetgeeihfetvdekhfffueegnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheprhgvmhgtohesrhgvmhifohhrkhhsrdhnvght pdhnsggprhgtphhtthhopeefpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehguh higiestggsrghinhgvshdrnhgvthdprhgtphhtthhopeejjeeftdegseguvggssghughhs rdhgnhhurdhorhhgpdhrtghpthhtohepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhr X-ME-Proxy: Feedback-ID: if0694934:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 27 Mar 2025 09:08:04 -0400 (EDT) From: Remco van 't Veer To: Nicolas Graves Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}] In-Reply-To: <87ecyid3pr.fsf@ngraves.fr> (Nicolas Graves's message of "Thu, 27 Mar 2025 14:04:48 +0100") References: <70a1ad58571735f1a15ce39ea6e400b3016ddc11.1743069624.git.remco@remworks.net> <0498bc510e98e7ff589d297aa6ef0d3e0fc04711.1743071100.git.remco@remworks.net> <87ecyid3pr.fsf@ngraves.fr> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Thu, 27 Mar 2025 14:08:03 +0100 Message-ID: <87r02ihb9o.fsf@remworks.net> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 77304 Cc: Christopher Baines , 77304@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) 2025/03/27, Nicolas Graves: > This should be applied on the ruby-team branch. Does that also mean a graft is not needed? From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 27 11:07:08 2025 Received: (at 77304) by debbugs.gnu.org; 27 Mar 2025 15:07:08 +0000 Received: from localhost ([127.0.0.1]:50836 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txop0-0006FX-Mk for submit@debbugs.gnu.org; Thu, 27 Mar 2025 11:07:07 -0400 Received: from 4.mo563.mail-out.ovh.net ([46.105.53.192]:48689) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txoov-0006E5-RB for 77304@debbugs.gnu.org; Thu, 27 Mar 2025 11:07:04 -0400 Received: from director4.derp.mail-out.ovh.net (director4.derp.mail-out.ovh.net [79.137.60.37]) by mo563.mail-out.ovh.net (Postfix) with ESMTPS id 4ZNn7R4BtLz1Rxy; Thu, 27 Mar 2025 15:06:59 +0000 (UTC) Received: from director4.derp.mail-out.ovh.net (director4.derp.mail-out.ovh.net. [127.0.0.1]) by director4.derp.mail-out.ovh.net (inspect_sender_mail_agent) with SMTP for ; Thu, 27 Mar 2025 15:06:59 +0000 (UTC) Received: from mta3.priv.ovhmail-u1.ea.mail.ovh.net (unknown [10.108.25.246]) by director4.derp.mail-out.ovh.net (Postfix) with ESMTPS id 4ZNn7R3mMjzy8K; Thu, 27 Mar 2025 15:06:59 +0000 (UTC) Received: from ngraves.fr (unknown [10.1.6.1]) by mta3.priv.ovhmail-u1.ea.mail.ovh.net (Postfix) with ESMTPSA id EBEC03A3E65; Thu, 27 Mar 2025 15:06:58 +0000 (UTC) Authentication-Results: garm.ovh; auth=pass (GARM-97G0022be7a4aa-c21e-4a39-8b7e-c255e78b12c1, FF6789543678BDA5F4AE6323C2F62FAAD9213E50) smtp.auth=ngraves@ngraves.fr X-OVh-ClientIp: 80.215.196.195 From: Nicolas Graves To: Remco van 't Veer Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}] In-Reply-To: <87r02ihb9o.fsf@remworks.net> References: <70a1ad58571735f1a15ce39ea6e400b3016ddc11.1743069624.git.remco@remworks.net> <0498bc510e98e7ff589d297aa6ef0d3e0fc04711.1743071100.git.remco@remworks.net> <87ecyid3pr.fsf@ngraves.fr> <87r02ihb9o.fsf@remworks.net> Date: Thu, 27 Mar 2025 16:06:52 +0100 Message-ID: <874izecy2b.fsf@ngraves.fr> MIME-Version: 1.0 Content-Type: text/plain X-Ovh-Tracer-Id: 7607424198371697407 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekjeefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefujghffffkgggtsehttdertddttddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepveekleeujedthefgffekleekhffhffetgfdvheekleeuhfehueeljedtjefhvdfgnecukfhppeduvdejrddtrddtrddupdektddrvdduhedrudeliedrudelheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhnsggprhgtphhtthhopeefpdhrtghpthhtohepghhuihigsegtsggrihhnvghsrdhnvghtpdhrtghpthhtohepjeejfedtgeesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopehrvghmtghosehrvghmfihorhhkshdrnhgvthdpoffvtefjohhsthepmhhoheeifegmpdhmohguvgepshhmthhpohhuth DKIM-Signature: a=rsa-sha256; bh=nxRtcjneBGFSgkfu9uYy4wzUeD44qAH1kTjtayhHeao=; c=relaxed/relaxed; d=ngraves.fr; h=From; s=ovhmo4487190-selector1; t=1743088019; v=1; b=r29yJc4DRijTtvLwkpdj6dLzRX72nj5L9eobB7JrzGZ7+wk7q7wGrGZOibd6LtzAcTshlMwo WFRUjDhajGlAMWbk41RQfGp5ozYy5P9U79k+xllYGTG/FBGGIpI4lynLTJrKvDkA3a7EvQAAJrO tD21woFaAMJl5eVNJUGYhVfpO6ZeJy4vjoOexZs1dukH/9i1bR7mNDWG/5k2wBz85Pd2kOw9eD6 +yMZ3CoSpg8nf8+Q5KSFajCWlQ6TWIAWZ1r+x6q0rRFm23HfS4lThWuz4yDncTkol2busok3kvF dFaNlOS8XWdtTduLWtA8K99iGgyfzyOq1Ni/xDszFmmZQ== X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77304 Cc: Christopher Baines , 77304@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On 2025-03-27 14:08, Remco van t. Veer wrote: > 2025/03/27, Nicolas Graves: > >> This should be applied on the ruby-team branch. > > Does that also mean a graft is not needed? On ruby-team, no, they will be rebuilt. -- Best regards, Nicolas Graves From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 27 11:42:36 2025 Received: (at 77304) by debbugs.gnu.org; 27 Mar 2025 15:42:36 +0000 Received: from localhost ([127.0.0.1]:50938 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txpNM-00043Q-2j for submit@debbugs.gnu.org; Thu, 27 Mar 2025 11:42:36 -0400 Received: from fhigh-b7-smtp.messagingengine.com ([202.12.124.158]:55557) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txpNJ-00041x-5I for 77304@debbugs.gnu.org; Thu, 27 Mar 2025 11:42:34 -0400 Received: from phl-compute-07.internal (phl-compute-07.phl.internal [10.202.2.47]) by mailfhigh.stl.internal (Postfix) with ESMTP id 232B525401AC; Thu, 27 Mar 2025 11:42:27 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-07.internal (MEProxy); Thu, 27 Mar 2025 11:42:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1743090146; x=1743176546; bh=D8R5ZPWAmv 2WlfJ5D6KGp43KQE61SOQ7ICDoNKFhQ3U=; b=Ijs920Rf55eYznjs1WEGH9tOWD g0yZTH2s0EWwH6C4Ut9v2wtIIg/AM3QdLt+BuBrY5CbZ0DNkbcj+RLsPp0Kt6c+U pQgLi1kcZpMaelIdqpcYvY8cbusLuygXuls1Qu1MO2d9uhWJqkXkPiCspTKZYyea gkTZJJiskwqNuS/+JRATdu65MBrs5b66gLPNbULDkixO0Ouu+2KjZyLPBicNAJ7Z N9LKbIzVSOiJqFkQbwvIn6PF0DdDcQi2HN1S4Odf3phnifhqNOCRf4qdu3Kphim7 1aPRqBPPJinGeIxcGnC6kFChHNKyDmCqf2XxbWTgAlEeYMRWXPlHaOu4qYPw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1743090146; x=1743176546; bh=D8R5ZPWAmv2WlfJ5D6KGp43KQE61SOQ7ICD oNKFhQ3U=; b=RudAbLiRNgUkECeiB3RPACwBNuNJ8W1yAgKOmZGi05foxQ0dwdR FY9Z1ZO9qXqcdgEp4xDFvw950NrLtUKpuXPFVTO3K3sHfUKawRxyt7k+Jyk9xyKA cJuANIh70WJg2IvnnCBCRSltQTgue2l6mrKohrG5Beq3s0A3pUVZWNj/JJ42U/48 nkXS2J9hwt7tEbgUiA6li9+VIVGDvtaXqvBLec3W+O6cLnLQHHsN0zWjQnele8ha Ov4yYW3PrchPFzqN2keERwcHjOOXkAq7SF8OXvsmt6tFYaPflgXd4pWftDhN0xXy U3ItKddrALqknJfyr58kh6ifBANq4AYiwmw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekkedtucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhephffvvefujghffgffkfggtgesthdtredttder tdenucfhrhhomheptfgvmhgtohcuvhgrnhcukdhtucggvggvrhcuoehrvghmtghosehrvg hmfihorhhkshdrnhgvtheqnecuggftrfgrthhtvghrnhepveevgfeujedttdelhfevgfeg heffjedvjeeltdeiueetgeeihfetvdekhfffueegnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheprhgvmhgtohesrhgvmhifohhrkhhsrdhnvght pdhnsggprhgtphhtthhopeefpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeejje eftdegseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepghhuihigsegtsggr ihhnvghsrdhnvghtpdhrtghpthhtohepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhr X-ME-Proxy: Feedback-ID: if0694934:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 27 Mar 2025 11:42:25 -0400 (EDT) From: Remco van 't Veer To: Nicolas Graves Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}] In-Reply-To: <874izecy2b.fsf@ngraves.fr> (Nicolas Graves's message of "Thu, 27 Mar 2025 16:06:52 +0100") References: <70a1ad58571735f1a15ce39ea6e400b3016ddc11.1743069624.git.remco@remworks.net> <0498bc510e98e7ff589d297aa6ef0d3e0fc04711.1743071100.git.remco@remworks.net> <87ecyid3pr.fsf@ngraves.fr> <87r02ihb9o.fsf@remworks.net> <874izecy2b.fsf@ngraves.fr> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Thu, 27 Mar 2025 16:42:24 +0100 Message-ID: <87r02iiiov.fsf@remworks.net> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 77304 Cc: Christopher Baines , 77304@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) 2025/03/27, Nicolas Graves: > On 2025-03-27 14:08, Remco van t. Veer wrote: > >> 2025/03/27, Nicolas Graves: >> >>> This should be applied on the ruby-team branch. >> >> Does that also mean a graft is not needed? > > On ruby-team, no, they will be rebuilt. To be honest, I was not aware of the ruby-team branch. Looking at it, I assume this patch and the other two (bug#77308 and bug#77309) will not apply on this branch. Should I close this and the other two bugs and create new ones for 3.1.7 and 3.2.8 for the ruby-team branch? From debbugs-submit-bounces@debbugs.gnu.org Mon May 26 11:23:08 2025 Received: (at 77304-done) by debbugs.gnu.org; 26 May 2025 15:23:09 +0000 Received: from localhost ([127.0.0.1]:58164 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uJZfQ-0005HF-Iu for submit@debbugs.gnu.org; Mon, 26 May 2025 11:23:08 -0400 Received: from mira.cbaines.net ([2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27]:38707) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uJZeq-0005EY-Qq for 77304-done@debbugs.gnu.org; Mon, 26 May 2025 11:22:33 -0400 Received: from localhost (unknown [IPv6:2a02:6b67:e390:8b00::1ce5]) by mira.cbaines.net (Postfix) with ESMTPSA id 6CD5B27BC49; Mon, 26 May 2025 16:22:32 +0100 (BST) Received: from fang (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 428de6d3; Mon, 26 May 2025 15:22:32 +0000 (UTC) From: Christopher Baines To: Remco van 't Veer Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}] In-Reply-To: <0498bc510e98e7ff589d297aa6ef0d3e0fc04711.1743071100.git.remco@remworks.net> (Remco van t. Veer's message of "Thu, 27 Mar 2025 11:25:00 +0100") References: <70a1ad58571735f1a15ce39ea6e400b3016ddc11.1743069624.git.remco@remworks.net> <0498bc510e98e7ff589d297aa6ef0d3e0fc04711.1743071100.git.remco@remworks.net> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Mon, 26 May 2025 16:22:31 +0100 Message-ID: <878qmjjt1k.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 77304-done Cc: Christopher Baines , 77304-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Remco van 't Veer writes: > Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO), > CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), > CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex > search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse) > CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and > CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+). > > * gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7. > * gnu/packages/ruby.scm (ruby-3.1.7): Add package. > > Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae > --- > > Changes in this v2: > > * improve commit subject. > > gnu/packages/ruby.scm | 19 ++++++++++++++++++- > 1 file changed, 18 insertions(+), 1 deletion(-) Thanks for the patch, I've pushed this to master as 72ac4a8fc6affa789df63382fc1b57c199d0c720. Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmg0hzdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9XeOUxAAjgcLSsQEUqMca7+vF1v7K3mHBOc6nht9 VeH4x9/7omzoKZwUU1Ggg4pGd0KffV5xcQMMe9TgtFu1kqPgnGWXQUX6qumZtOjW mCjo2a9j9FVEYUPjUot3H+tWhE/mgiBxpZRwb+gcyFX0z0YG1HbhCvOzu+rYNV35 eQxoRLNnJokvuR+TrOfeGo0mMIgks1Li/xQeK7QTogZgVRZD4B1Lw6DIZPuAJMTp rC676CaTQh9atssAXzgDkOcYwRgp5IfYdqqsa6sMdINuNcCJCqDDWNo4HFcTsTv5 mLXOLgzCaW1HLGNzV7+z/jRErvebkobCDftkpa2/+V0y20Niyp28+Wv1U1LqBFqT M3Eax98n4FBVZjjoHh3FWSVZmeT1MFHE0qdpokH+Go3w5+i/ypFecmL8TiD4fP6J eQqqy9yVhW0ANKr+B2yqtLYTb5++xVjY6p6HRMRIFjMFwVzdlSqs5VBvLobybIPx 81I8vtdoLUPexDc9Ccy1zZDlGzRxiCIXmVEQ3+18jWjm+1rrL0RDBvOjwrUweTv3 c9pbOmYjiLB+rO4SLuOX+PHldwa8XeApu6HiUxTF8YznYud5VQ4hUIi5903Z+8vH hHzzQuhX7+Yl2sOfQzVVjLdCwV55Hca51zBbLG3nx+a381GperSlbf26BfUdkqgT 1otDSFXtEQg= =XMuJ -----END PGP SIGNATURE----- --=-=-=--