GNU bug report logs - #77304
[PATCH] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, CVE-2025-27220, CVE-2025-27221}]

Previous Next

Full log

Message #25 received at 77304-done <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: Remco van 't Veer <remco <at> remworks.net>
Cc: Christopher Baines <guix <at> cbaines.net>, 77304-done <at> debbugs.gnu.org
Subject: Re: [bug#77304] [PATCH v2] gnu: ruby-3.1.7: Upgrade to 3.1.7 [fixes
 CVE-2024-{27280, 27281, 27282}, CVE-2025-{27219, 27220, 27221}]
Date: Mon, 26 May 2025 16:22:31 +0100

[Message part 1 (text/plain, inline)]

Remco van 't Veer <remco <at> remworks.net> writes:

> Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO),
> CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
> CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
> search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse)
> CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and
> CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+).
>
> * gnu/packages/ruby.scm (ruby-3.1)[replacement]: New field pointing to ruby-3.1.7.
> * gnu/packages/ruby.scm (ruby-3.1.7): Add package.
>
> Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae
> ---
>
> Changes in this v2:
>
> * improve commit subject.
>
>  gnu/packages/ruby.scm | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)

Thanks for the patch, I've pushed this to master as
72ac4a8fc6affa789df63382fc1b57c199d0c720.

Chris

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.