From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 27 08:38:43 2025 Received: (at submit) by debbugs.gnu.org; 27 Mar 2025 12:38:44 +0000 Received: from localhost ([127.0.0.1]:48050 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txmVN-0007Fi-5a for submit@debbugs.gnu.org; Thu, 27 Mar 2025 08:38:43 -0400 Received: from lists.gnu.org ([2001:470:142::17]:35856) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txmVJ-0007EC-Ua for submit@debbugs.gnu.org; Thu, 27 Mar 2025 08:38:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txmVE-00023Z-0b for guix-patches@gnu.org; Thu, 27 Mar 2025 08:38:32 -0400 Received: from fout-b5-smtp.messagingengine.com ([202.12.124.148]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txmVB-0007ht-7Y for guix-patches@gnu.org; Thu, 27 Mar 2025 08:38:31 -0400 Received: from phl-compute-13.internal (phl-compute-13.phl.internal [10.202.2.53]) by mailfout.stl.internal (Postfix) with ESMTP id 0192C114013D; Thu, 27 Mar 2025 08:38:27 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-13.internal (MEProxy); Thu, 27 Mar 2025 08:38:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to; s=fm1; t=1743079107; x=1743165507; bh=p2S0s2BxQ2R/P5TBbRsh9 co5hdG5bNMXE+m6uaK2qik=; b=R94hrapEhEQ/K/RjzbLaXcdPCDIlWdkwL7+jm nhAco1e2tLE9lQuD7xlTcLRJ9bPLooukU21SOhC2rgsyLeCOCos2vn9zL9m69Mzf u5vAPY/Lcwf6lLZV4uA5zkPv6euXjTsLFQE/H8k0/+yCNB0KTGtgvdozR13J6fpf Lt68XUx4q94+hRzO0taUotfR4g+nHn8RSWqtbVfmue1RXEuz/m+2odZZngjp+xFT PdirSbKmAVl8Dk8Kym1XUi+APEf+Ds+rtx1lqnCGcsWawO0uzfN1hezyNLmdLqKz +FWBSGNO6SpxPbWDUxCfVAq46ji8NCznKqXegH0svhsp4u6FA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1743079107; x=1743165507; bh=p2S0s2BxQ2R/P5TBbRsh9co5hdG5bNMXE+m 6uaK2qik=; b=pRM7O17mKC2IWFIi+Vbdr4QtIQI3TpO2Mb7EZch16Xb0/D+gvSQ o9z/Z7AyOZMTeifmBFfv4g3zIzxjdQ4AG8HDZxgagbsGeaNKzipYL+WZxuXhuCQf UnKJMuna+qTPKGF8kOZ0l/9z6PCJQnMYSAMqBVBrX+JN4Fm8unnun1ftfnYaX5Yp eoBobV8uxhaD1J2309Z0vPTBj3fI53FcL+FKBCvI4AXS9kv9NCvsPAtHJ/Q7jJxt FdQmT2pjFtyLiMydEsqDqStch5Bj7WgYevx+r8F7hhK6HVf9tsnMkPbpDHuNYYHa YZ7zOaXdtn3HBymzpL4Wy0V5nw23zMtkvIg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekgeefucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf evufffkffoggfgsedtkeertdertddtnecuhfhrohhmpeftvghmtghouchvrghnucdkthcu gggvvghruceorhgvmhgtohesrhgvmhifohhrkhhsrdhnvghtqeenucggtffrrghtthgvrh hnpeegueeggfdtheffhedtieejuddugffgtddvueeftedtuefhtdffjeelgeefvdetieen ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehrfihvse hfrghsthhmrghilhdrtghomhdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphho uhhtpdhrtghpthhtohepghhuihigqdhprghttghhvghssehgnhhurdhorhhgpdhrtghpth htoheprhgvmhgtohesrhgvmhifohhrkhhsrdhnvght X-ME-Proxy: Feedback-ID: if0694934:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 27 Mar 2025 08:38:26 -0400 (EDT) From: Remco van 't Veer To: guix-patches@gnu.org Subject: [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}] Date: Thu, 27 Mar 2025 13:38:12 +0100 Message-ID: <8961ac7dcfb2ca711c51ce4b45c2afeb54c202d6.1743079092.git.remco@remworks.net> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-Debbugs-Cc: Christopher Baines Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=202.12.124.148; envelope-from=rwv@fastmail.com; helo=fout-b5-smtp.messagingengine.com X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.083, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit Cc: Remco van 't Veer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Fixes: CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc), CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex search), CVE-2024-39908 (DoS in REXML), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse), CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+). * gnu/packages/ruby.scm (ruby-3.2): Upgrade to 3.2.8 Change-Id: I4938434cd15650796fe020650a452a876daa5aeb --- gnu/packages/ruby.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 24407fbd58..a5951753f4 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -263,7 +263,7 @@ (define-public ruby-3.1 (define-public ruby-3.2 (package (inherit ruby-3.1) - (version "3.2.3") + (version "3.2.8") (source (origin (method url-fetch) @@ -272,7 +272,7 @@ (define-public ruby-3.2 "/ruby-" version ".tar.xz")) (sha256 (base32 - "0ss7pb7f62sakq5ywpw3dl0v586cl61cd91qlm1i094c9fak3cng")))) + "0g3s68kcxb24y4h24wvikvk5v3q6l6hs0kjxms9m49sm048d7k0w")))) (inputs (modify-inputs (package-inputs ruby-3.1) (prepend libyaml))))) base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2 -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 27 09:07:10 2025 Received: (at 77308) by debbugs.gnu.org; 27 Mar 2025 13:07:11 +0000 Received: from localhost ([127.0.0.1]:48160 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txmwv-0003Xn-MA for submit@debbugs.gnu.org; Thu, 27 Mar 2025 09:07:10 -0400 Received: from 3.mo562.mail-out.ovh.net ([46.105.33.63]:57675) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txmwq-0003WQ-Pv for 77308@debbugs.gnu.org; Thu, 27 Mar 2025 09:07:07 -0400 Received: from director1.derp.mail-out.ovh.net (director1.derp.mail-out.ovh.net [51.68.80.175]) by mo562.mail-out.ovh.net (Postfix) with ESMTPS id 4ZNkT13M4Tz1cQr; Thu, 27 Mar 2025 13:07:01 +0000 (UTC) Received: from director1.derp.mail-out.ovh.net (director1.derp.mail-out.ovh.net. [127.0.0.1]) by director1.derp.mail-out.ovh.net (inspect_sender_mail_agent) with SMTP for ; Thu, 27 Mar 2025 13:07:01 +0000 (UTC) Received: from mta7.priv.ovhmail-u1.ea.mail.ovh.net (unknown [10.108.17.64]) by director1.derp.mail-out.ovh.net (Postfix) with ESMTPS id 4ZNkT10szczHcF5; Thu, 27 Mar 2025 13:07:01 +0000 (UTC) Received: from ngraves.fr (unknown [10.1.6.4]) by mta7.priv.ovhmail-u1.ea.mail.ovh.net (Postfix) with ESMTPSA id 2CD0CC390C; Thu, 27 Mar 2025 13:07:00 +0000 (UTC) Authentication-Results: garm.ovh; auth=pass (GARM-102R00465cbacc2-9ed2-4138-9618-6d8b16b1f193, FF6789543678BDA5F4AE6323C2F62FAAD9213E50) smtp.auth=ngraves@ngraves.fr X-OVh-ClientIp: 80.215.201.76 From: Nicolas Graves To: Remco van 't Veer , 77308@debbugs.gnu.org Subject: Re: [bug#77308] [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}] In-Reply-To: <8961ac7dcfb2ca711c51ce4b45c2afeb54c202d6.1743079092.git.remco@remworks.net> References: <8961ac7dcfb2ca711c51ce4b45c2afeb54c202d6.1743079092.git.remco@remworks.net> Date: Thu, 27 Mar 2025 14:06:59 +0100 Message-ID: <87a596d3m4.fsf@ngraves.fr> MIME-Version: 1.0 Content-Type: text/plain X-Ovh-Tracer-Id: 5581367315818013439 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieekgeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefujghffffkgggtsehttdertddttddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepveekleeujedthefgffekleekhffhffetgfdvheekleeuhfehueeljedtjefhvdfgnecukfhppeduvdejrddtrddtrddupdektddrvdduhedrvddtuddrjeeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepfedprhgtphhtthhopehguhhigiestggsrghinhgvshdrnhgvthdprhgtphhtthhopeejjeeftdekseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheprhgvmhgtohesrhgvmhifohhrkhhsrdhnvghtpdfovfetjfhoshhtpehmohehiedvmgdpmhhouggvpehsmhhtphhouhht DKIM-Signature: a=rsa-sha256; bh=f0XmbzPxQ2EmWUbbVQO6IL7PgYjRjf5IbsWup62WKLM=; c=relaxed/relaxed; d=ngraves.fr; h=From; s=ovhmo4487190-selector1; t=1743080822; v=1; b=f31PNhHJmULBlb/lB0MbIM9XxOWwG+9PSPUmN3xJjUx6q6wls8Y0GDIUWR5uPrlp5XAV1Sgc CgI7+OI5RlFcQ1XuY10WAQbTu2hZfzkOruqgDBZvpauKRyTE6AugocJ3uFiuHy29NQk5ih5KfZ0 crqRU54B3qdmql3ImeKNPvDKZjRsZNb6cT1rHaTM9wOLp0jFNaO9e5ImjMN+iwgnLKMPxvFvkLZ cI6tHYAmEL4gp8PAcvPe85anuMXdCKS5zl5294+w2tj/SjCkBBUiE+Tkr855zASwtGL4ZkSjg3B +iPWq7GiCBp0etWMc0nO7HYPYTqUMB8oUpyikHfUwtOzQ== X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77308 Cc: Christopher Baines , Remco van 't Veer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This should be applied in the ruby-team branch. I checked that it applies correctly (the other one too). -- Best regards, Nicolas Graves From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 07 10:33:27 2025 Received: (at 77308-done) by debbugs.gnu.org; 7 Jun 2025 14:33:27 +0000 Received: from localhost ([127.0.0.1]:49217 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uNubv-0007aP-4p for submit@debbugs.gnu.org; Sat, 07 Jun 2025 10:33:27 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]:52592) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uNubs-0007Zx-3x for 77308-done@debbugs.gnu.org; Sat, 07 Jun 2025 10:33:24 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 144445FB; Sat, 7 Jun 2025 16:33:16 +0200 (CEST) Authentication-Results: hera.aquilenet.fr; none X-Virus-Scanned: Debian amavis at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavis, port 10024) with ESMTP id bqJfpZY63xDn; Sat, 7 Jun 2025 16:33:15 +0200 (CEST) Received: from jurong (176-179-191-150.abo.bbox.fr [176.179.191.150]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 1151725A; Sat, 7 Jun 2025 16:33:13 +0200 (CEST) Date: Sat, 7 Jun 2025 16:33:12 +0200 From: Andreas Enge To: Nicolas Graves Subject: Re: [bug#77308] [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}] Message-ID: References: <8961ac7dcfb2ca711c51ce4b45c2afeb54c202d6.1743079092.git.remco@remworks.net> <87a596d3m4.fsf@ngraves.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87a596d3m4.fsf@ngraves.fr> X-Rspamd-Server: hera X-Rspamd-Queue-Id: 144445FB X-Spamd-Result: default: False [-5.60 / 15.00]; BAYES_HAM(-3.00)[99.99%]; NEURAL_HAM(-3.00)[-0.999]; MID_RHS_NOT_FQDN(0.50)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCPT_COUNT_THREE(0.00)[4]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[] X-Rspamd-Action: no action X-Spamd-Bar: ----- X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77308-done Cc: Christopher Baines , 77308-done@debbugs.gnu.org, Remco van 't Veer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This can go to master, so I have pushed it there; we shall enjoy a little merge conflict later on :-) Andreas