GNU bug report logs - #77308
[PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282, 39908}, CVE-2025-{27219, 27220, 27221}]

Previous Next

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Remco van 't Veer <remco <at> remworks.net>
To: guix-patches <at> gnu.org
Cc: Remco van 't Veer <remco <at> remworks.net>
Subject: [PATCH] gnu: ruby-3.2: Upgrade to 3.2.8 [fixes CVE-2024-{27281, 27282,
 39908}, CVE-2025-{27219, 27220, 27221}]
Date: Thu, 27 Mar 2025 13:38:12 +0100

Fixes: CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2024-39908 (DoS in REXML), CVE-2025-27219 (Denial of
Service in CGI::Cookie.parse), CVE-2025-27220 (ReDoS in
CGI::Util#escapeElement), and CVE-2025-27221 (userinfo leakage in
URI#join, URI#merge and URI#+).

* gnu/packages/ruby.scm (ruby-3.2): Upgrade to 3.2.8

Change-Id: I4938434cd15650796fe020650a452a876daa5aeb
---
 gnu/packages/ruby.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 24407fbd58..a5951753f4 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -263,7 +263,7 @@ (define-public ruby-3.1
 (define-public ruby-3.2
   (package
     (inherit ruby-3.1)
-    (version "3.2.3")
+    (version "3.2.8")
     (source
      (origin
        (method url-fetch)
@@ -272,7 +272,7 @@ (define-public ruby-3.2
                            "/ruby-" version ".tar.xz"))
        (sha256
         (base32
-         "0ss7pb7f62sakq5ywpw3dl0v586cl61cd91qlm1i094c9fak3cng"))))
+         "0g3s68kcxb24y4h24wvikvk5v3q6l6hs0kjxms9m49sm048d7k0w"))))
     (inputs
      (modify-inputs (package-inputs ruby-3.1)
        (prepend libyaml)))))

base-commit: 90d525e0cffeb7498e7b98bedbc9ae67814c06a2
-- 
2.49.0

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.