GNU bug report logs - #77308
[PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]

Previous Next

Package: guix-patches;

Reported by: Remco van 't Veer <remco <at> remworks.net>

Date: Thu, 27 Mar 2025 12:39:02 UTC

Severity: normal

Tags: patch

Done: Andreas Enge <andreas <at> enge.fr>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 77308 in the body.
You can then email your comments to 77308 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix <at> cbaines.net, guix-patches <at> gnu.org:
bug#77308; Package guix-patches. (Thu, 27 Mar 2025 12:39:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Remco van 't Veer <remco <at> remworks.net>:
New bug report received and forwarded. Copy sent to guix <at> cbaines.net, guix-patches <at> gnu.org. (Thu, 27 Mar 2025 12:39:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Remco van 't Veer <remco <at> remworks.net>
To: guix-patches <at> gnu.org
Cc: Remco van 't Veer <remco <at> remworks.net>
Subject: [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282,
 39908}, CVE-2025-{27219, 27220, 27221}]
Date: Thu, 27 Mar 2025 13:38:12 +0100

Fixes: CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2024-39908 (DoS in REXML), CVE-2025-27219 (Denial of
Service in CGI::Cookie.parse), CVE-2025-27220 (ReDoS in
CGI::Util#escapeElement), and CVE-2025-27221 (userinfo leakage in
URI#join, URI#merge and URI#+).

* gnu/packages/ruby.scm (ruby-3.2): Upgrade to 3.2.8

Change-Id: I4938434cd15650796fe020650a452a876daa5aeb
---
 gnu/packages/ruby.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 24407fbd58..a5951753f4 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -263,7 +263,7 @@ (define-public ruby-3.1
 (define-public ruby-3.2
   (package
     (inherit ruby-3.1)
-    (version "3.2.3")
+    (version "3.2.8")
     (source
      (origin
        (method url-fetch)
@@ -272,7 +272,7 @@ (define-public ruby-3.2
                            "/ruby-" version ".tar.xz"))
        (sha256
         (base32
-         "0ss7pb7f62sakq5ywpw3dl0v586cl61cd91qlm1i094c9fak3cng"))))
+         "0g3s68kcxb24y4h24wvikvk5v3q6l6hs0kjxms9m49sm048d7k0w"))))
     (inputs
      (modify-inputs (package-inputs ruby-3.1)
        (prepend libyaml)))))

base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2
-- 
2.49.0
Information forwarded to guix-patches <at> gnu.org:
bug#77308; Package guix-patches. (Thu, 27 Mar 2025 13:08:02 GMT) Full text and rfc822 format available.

Message #8 received at 77308 <at> debbugs.gnu.org (full text, mbox):

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: Remco van 't Veer <remco <at> remworks.net>, 77308 <at> debbugs.gnu.org
Cc: Christopher Baines <guix <at> cbaines.net>,
 Remco van 't Veer <remco <at> remworks.net>
Subject: Re: [bug#77308] [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes
 CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]
Date: Thu, 27 Mar 2025 14:06:59 +0100

This should be applied in the ruby-team branch. I checked that it
applies correctly (the other one too).

-- 
Best regards,
Nicolas Graves
Reply sent to Andreas Enge <andreas <at> enge.fr>:
You have taken responsibility. (Sat, 07 Jun 2025 14:34:01 GMT) Full text and rfc822 format available.
Notification sent to Remco van 't Veer <remco <at> remworks.net>:
bug acknowledged by developer. (Sat, 07 Jun 2025 14:34:02 GMT) Full text and rfc822 format available.

Message #13 received at 77308-done <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: Christopher Baines <guix <at> cbaines.net>, 77308-done <at> debbugs.gnu.org,
 Remco van 't Veer <remco <at> remworks.net>
Subject: Re: [bug#77308] [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes
 CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]
Date: Sat, 7 Jun 2025 16:33:12 +0200

This can go to master, so I have pushed it there;
we shall enjoy a little merge conflict later on :-)

Andreas
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 06 Jul 2025 11:24:09 GMT) Full text and rfc822 format available.
This bug report was last modified 34 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.