GNU bug report logs - #77308
[PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]

Previous Next

Package: guix-patches;

Reported by: Remco van 't Veer <remco <at> remworks.net>

Date: Thu, 27 Mar 2025 12:39:02 UTC

Severity: normal

Tags: patch

Done: Andreas Enge <andreas <at> enge.fr>

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Andreas Enge <andreas <at> enge.fr>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#77308: closed ([PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes
 CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}])
Date: Sat, 07 Jun 2025 14:34:01 +0000

[Message part 1 (text/plain, inline)]
Your message dated Sat, 7 Jun 2025 16:33:12 +0200
with message-id <aERNqMDjO0ozsgGy <at> jurong>
and subject line Re: [bug#77308] [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]
has caused the debbugs.gnu.org bug report #77308,
regarding [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
77308: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=77308
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Remco van 't Veer <remco <at> remworks.net>
To: guix-patches <at> gnu.org
Cc: Remco van 't Veer <remco <at> remworks.net>
Subject: [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282,
 39908}, CVE-2025-{27219, 27220, 27221}]
Date: Thu, 27 Mar 2025 13:38:12 +0100

Fixes: CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2024-39908 (DoS in REXML), CVE-2025-27219 (Denial of
Service in CGI::Cookie.parse), CVE-2025-27220 (ReDoS in
CGI::Util#escapeElement), and CVE-2025-27221 (userinfo leakage in
URI#join, URI#merge and URI#+).

* gnu/packages/ruby.scm (ruby-3.2): Upgrade to 3.2.8

Change-Id: I4938434cd15650796fe020650a452a876daa5aeb
---
 gnu/packages/ruby.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 24407fbd58..a5951753f4 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -263,7 +263,7 @@ (define-public ruby-3.1
 (define-public ruby-3.2
   (package
     (inherit ruby-3.1)
-    (version "3.2.3")
+    (version "3.2.8")
     (source
      (origin
        (method url-fetch)
@@ -272,7 +272,7 @@ (define-public ruby-3.2
                            "/ruby-" version ".tar.xz"))
        (sha256
         (base32
-         "0ss7pb7f62sakq5ywpw3dl0v586cl61cd91qlm1i094c9fak3cng"))))
+         "0g3s68kcxb24y4h24wvikvk5v3q6l6hs0kjxms9m49sm048d7k0w"))))
     (inputs
      (modify-inputs (package-inputs ruby-3.1)
        (prepend libyaml)))))

base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2
-- 
2.49.0




[Message part 3 (message/rfc822, inline)]
From: Andreas Enge <andreas <at> enge.fr>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: Christopher Baines <guix <at> cbaines.net>, 77308-done <at> debbugs.gnu.org,
 Remco van 't Veer <remco <at> remworks.net>
Subject: Re: [bug#77308] [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes
 CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]
Date: Sat, 7 Jun 2025 16:33:12 +0200

This can go to master, so I have pushed it there;
we shall enjoy a little merge conflict later on :-)

Andreas
This bug report was last modified 9 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.