rpms
/
ruby
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Upgrade to Ruby 3.3.1. 

Fix buffer overread vulnerability in StringIO.
  (CVE-2024-27280)
Fix RCE vulnerability with .rdoc_options in RDoc.
  (CVE-2024-27281)
Fix Arbitrary memory address read vulnerability with Regex search.
  (CVE-2024-27282)

Ruby bundled NKF, add appropriate `bundled` provide and test
License review and clarification

Upgrade by merging Fedora changes up to commit:
ff5301a5f3

Resolves: RHEL-37446
Resolves: RHEL-37448
Resolves: RHEL-37449
Resolves: RHEL-37447
This commit is contained in:
Jarek Prokop 2024-05-20 18:22:32 +02:00
parent b7269a7788
commit 44e781b1f4
12 changed files with 144 additions and 588 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ruby-2.1.0-Enable-configuration-of-archlibdir.patch
View File

@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
index d261ea57b5..3c13076b82 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3470,6 +3470,11 @@ AS_IF([test ${multiarch+set}], [
@@ -3473,6 +3473,11 @@ AS_IF([test ${multiarch+set}], [
])
archlibdir='${libdir}/${arch}'

2
ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch
View File

@ -14,7 +14,7 @@ diff --git a/configure.ac b/configure.ac
index c42436c23d..d261ea57b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4309,7 +4309,8 @@ AS_CASE(["$ruby_version_dir_name"],
@@ -4312,7 +4312,8 @@ AS_CASE(["$ruby_version_dir_name"],
ruby_version_dir=/'${ruby_version_dir_name}'
if test -z "${ruby_version_dir_name}"; then

2
ruby-2.1.0-always-use-i386.patch
View File

@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
index 3c13076b82..93af30321d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4373,6 +4373,8 @@ AC_SUBST(vendorarchdir)dnl
@@ -4376,6 +4376,8 @@ AC_SUBST(vendorarchdir)dnl
AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl

4
ruby-2.1.0-custom-rubygems-location.patch
View File

@ -15,7 +15,7 @@ diff --git a/configure.ac b/configure.ac
index 93af30321d..bc13397e0e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4345,6 +4345,10 @@ AC_ARG_WITH(vendorarchdir,
@@ -4348,6 +4348,10 @@ AC_ARG_WITH(vendorarchdir,
[vendorarchdir=$withval],
[vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}])
@ -26,7 +26,7 @@ index 93af30321d..bc13397e0e 100644
AS_IF([test "${LOAD_RELATIVE+set}"], [
AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
RUBY_EXEC_PREFIX=''
@@ -4369,6 +4373,7 @@ AC_SUBST(sitearchdir)dnl
@@ -4372,6 +4376,7 @@ AC_SUBST(sitearchdir)dnl
AC_SUBST(vendordir)dnl
AC_SUBST(vendorlibdir)dnl
AC_SUBST(vendorarchdir)dnl

6
ruby-2.3.0-ruby_version.patch
View File

@ -20,7 +20,7 @@ diff --git a/configure.ac b/configure.ac
index 80b137e380..63cd3b4f8b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4259,9 +4259,6 @@ AS_CASE(["$target_os"],
@@ -4262,9 +4262,6 @@ AS_CASE(["$target_os"],
rubyw_install_name='$(RUBYW_INSTALL_NAME)'
])
@ -30,7 +30,7 @@ index 80b137e380..63cd3b4f8b 100644
rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'}
AC_ARG_WITH(rubyarchprefix,
AS_HELP_STRING([--with-rubyarchprefix=DIR],
@@ -4284,57 +4281,63 @@ AC_ARG_WITH(ridir,
@@ -4287,57 +4284,63 @@ AC_ARG_WITH(ridir,
AC_SUBST(ridir)
AC_SUBST(RI_BASE_NAME)
@ -122,7 +122,7 @@ index 80b137e380..63cd3b4f8b 100644
AS_IF([test "${LOAD_RELATIVE+set}"], [
AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
@@ -4351,6 +4354,7 @@ AC_SUBST(sitearchincludedir)dnl
@@ -4354,6 +4357,7 @@ AC_SUBST(sitearchincludedir)dnl
AC_SUBST(arch)dnl
AC_SUBST(sitearch)dnl
AC_SUBST(ruby_version)dnl

6
ruby-3.3.0-Revert-Optimize-allocations-in-Hash-compare_by_identity.patch
View File

@ -13,7 +13,7 @@ diff --git a/hash.c b/hash.c
index 78e9d9a2d6..f6525ba4a5 100644
--- a/hash.c
+++ b/hash.c
@@ -4377,16 +4377,13 @@ rb_hash_compare_by_id(VALUE hash)
@@ -4385,16 +4385,13 @@ rb_hash_compare_by_id(VALUE hash)
if (hash_iterating_p(hash)) {
rb_raise(rb_eRuntimeError, "compare_by_identity during iteration");
}
@ -33,7 +33,7 @@ index 78e9d9a2d6..f6525ba4a5 100644
// Slow path: Need to rehash the members of `self` into a new
// `tmp` table using the new `identhash` compare/hash functions.
tmp = hash_alloc(0);
@@ -4394,10 +4391,8 @@ rb_hash_compare_by_id(VALUE hash)
@@ -4402,10 +4399,8 @@ rb_hash_compare_by_id(VALUE hash)
identtable = RHASH_ST_TABLE(tmp);
rb_hash_foreach(hash, rb_hash_rehash_i, (VALUE)tmp);
@ -60,7 +60,7 @@ diff --git a/hash.c b/hash.c
index f6525ba4a5..cf83675c70 100644
--- a/hash.c
+++ b/hash.c
@@ -4380,22 +4380,15 @@ rb_hash_compare_by_id(VALUE hash)
@@ -4388,22 +4388,15 @@ rb_hash_compare_by_id(VALUE hash)
ar_force_convert_table(hash, __FILE__, __LINE__);
HASH_ASSERT(RHASH_ST_TABLE_P(hash));

24
ruby-3.4.0-Fix-pointer-incompatiblity.patch Normal file
View File

@ -0,0 +1,24 @@
From 055613fd868a8c94e43893f8c58a00cdd2a81f6d Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Fri, 22 Mar 2024 18:18:35 +0900
Subject: [PATCH] Fix pointer incompatiblity
Since the subsecond part is discarded, WIDEVAL to VALUE conversion is
needed.
---
time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/time.c b/time.c
index 6179b081c02fc9..3304b2f4f4856a 100644
--- a/time.c
+++ b/time.c
@@ -2342,7 +2342,7 @@ zone_timelocal(VALUE zone, VALUE time)
struct time_object *tobj = RTYPEDDATA_GET_DATA(time);
wideval_t t, s;
- split_second(tobj->timew, &t, &s);
+ wdivmod(tobj->timew, WINT2FIXWV(TIME_SCALE), &t, &s);
tm = tm_from_time(rb_cTimeTM, time);
utc = rb_check_funcall(zone, id_local_to_utc, 1, &tm);
if (UNDEF_P(utc)) return 0;

241
ruby-3.4.0-Revert-Set-AI_ADDRCONFIG-when-making-getaddrinfo.patch
View File

@ -1,241 +0,0 @@
From c3655b89e7c06555a2e0bf13affb8a63a49f4296 Mon Sep 17 00:00:00 2001
From: Jarek Prokop <jprokop@redhat.com>
Date: Fri, 26 Jan 2024 11:19:48 +0100
Subject: [PATCH] Revert "Set AI_ADDRCONFIG when making getaddrinfo(3) calls
for outgoing conns (#7295)"
This reverts commit d2ba8ea54a4089959afdeecdd963e3c4ff391748.
The purpose of the commit is to workaround a GLIBC bug [0] still present
in older Ubuntu [1]. C8S/RHEL 8 has the fix for some time [2] and the
Ruby workaround is causing problems for us [3]. Therefore we can
revert it for EL8, EL9, and Fedora distros.
[0] https://sourceware.org/bugzilla/show_bug.cgi?id=26600
[1] https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1961697
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1868106
[3] https://bugs.ruby-lang.org/issues/20208
---
ext/socket/extconf.rb | 2 -
ext/socket/ipsocket.c | 11 +--
test/socket/test_tcp.rb | 164 ----------------------------------------
3 files changed, 2 insertions(+), 175 deletions(-)
diff --git a/ext/socket/extconf.rb b/ext/socket/extconf.rb
index 544bed5298..1ca52da366 100644
--- a/ext/socket/extconf.rb
+++ b/ext/socket/extconf.rb
@@ -607,8 +607,6 @@ def %(s) s || self end
EOS
end
- have_const('AI_ADDRCONFIG', headers)
-
case with_config("lookup-order-hack", "UNSPEC")
when "INET"
$defs << "-DLOOKUP_ORDER_HACK_INET"
diff --git a/ext/socket/ipsocket.c b/ext/socket/ipsocket.c
index 0a693655b4..0c13620258 100644
--- a/ext/socket/ipsocket.c
+++ b/ext/socket/ipsocket.c
@@ -54,22 +54,15 @@ init_inetsock_internal(VALUE v)
VALUE connect_timeout = arg->connect_timeout;
struct timeval tv_storage;
struct timeval *tv = NULL;
- int remote_addrinfo_hints = 0;
if (!NIL_P(connect_timeout)) {
tv_storage = rb_time_interval(connect_timeout);
tv = &tv_storage;
}
- if (type == INET_SERVER) {
- remote_addrinfo_hints |= AI_PASSIVE;
- }
-#ifdef HAVE_CONST_AI_ADDRCONFIG
- remote_addrinfo_hints |= AI_ADDRCONFIG;
-#endif
-
arg->remote.res = rsock_addrinfo(arg->remote.host, arg->remote.serv,
- family, SOCK_STREAM, remote_addrinfo_hints);
+ family, SOCK_STREAM,
+ (type == INET_SERVER) ? AI_PASSIVE : 0);
/*
diff --git a/test/socket/test_tcp.rb b/test/socket/test_tcp.rb
index 35d361f060..7f9dc53cae 100644
--- a/test/socket/test_tcp.rb
+++ b/test/socket/test_tcp.rb
@@ -140,168 +140,4 @@ def test_accept_multithread
server_threads.each(&:join)
end
end
-
- def test_ai_addrconfig
- # This test verifies that we pass AI_ADDRCONFIG to the DNS resolver when making
- # an outgoing connection.
- # The verification of this is unfortunately incredibly convoluted. We perform the
- # test by setting up a fake DNS server to receive queries. Then, we construct
- # an environment which has only IPv4 addresses and uses that fake DNS server. We
- # then attempt to make an outgoing TCP connection. Finally, we verify that we
- # only received A and not AAAA queries on our fake resolver.
- # This test can only possibly work on Linux, and only when run as root. If either
- # of these conditions aren't met, the test will be skipped.
-
- # The construction of our IPv6-free environment must happen in a child process,
- # which we can put in its own network & mount namespaces.
-
- omit "This test is disabled. It is retained to show the original intent of [ruby-core:110870]"
-
- IO.popen("-") do |test_io|
- if test_io.nil?
- begin
- # Child program
- require 'fiddle'
- require 'resolv'
- require 'open3'
-
- libc = Fiddle.dlopen(nil)
- begin
- unshare = Fiddle::Function.new(libc['unshare'], [Fiddle::TYPE_INT], Fiddle::TYPE_INT)
- rescue Fiddle::DLError
- # Test can't run because we don't have unshare(2) in libc
- # This will be the case on not-linux, and also on very old glibc versions (or
- # possibly other libc's that don't expose this syscall wrapper)
- $stdout.write(Marshal.dump({result: :skip, reason: "unshare(2) or mount(2) not in libc"}))
- exit
- end
-
- # Move our test process into a new network & mount namespace.
- # This environment will be configured to be IPv6 free and point DNS resolution
- # at a fake DNS server.
- # (n.b. these flags are CLONE_NEWNS | CLONE_NEWNET)
- ret = unshare.call(0x00020000 | 0x40000000)
- errno = Fiddle.last_error
- if ret == -1 && errno == Errno::EPERM::Errno
- # Test can't run because we're not root.
- $stdout.write(Marshal.dump({result: :skip, reason: "insufficient permissions to unshare namespaces"}))
- exit
- elsif ret == -1 && (errno == Errno::ENOSYS::Errno || errno == Errno::EINVAL::Errno)
- # No unshare(2) in the kernel (or kernel too old to know about this namespace type)
- $stdout.write(Marshal.dump({result: :skip, reason: "errno #{errno} calling unshare(2)"}))
- exit
- elsif ret == -1
- # Unexpected failure
- raise "errno #{errno} calling unshare(2)"
- end
-
- # Set up our fake DNS environment. Clean out /etc/hosts...
- fake_hosts_file = Tempfile.new('ruby_test_hosts')
- fake_hosts_file.write <<~HOSTS
- 127.0.0.1 localhost
- ::1 localhost
- HOSTS
- fake_hosts_file.flush
-
- # Have /etc/resolv.conf point to 127.0.0.1...
- fake_resolv_conf = Tempfile.new('ruby_test_resolv')
- fake_resolv_conf.write <<~RESOLV
- nameserver 127.0.0.1
- RESOLV
- fake_resolv_conf.flush
-
- # Also stub out /etc/nsswitch.conf; glibc can have other resolver modules
- # (like systemd-resolved) configured in there other than just using dns,
- # so rewrite it to remove any `hosts:` lines and add one which just uses
- # dns.
- real_nsswitch_conf = File.read('/etc/nsswitch.conf') rescue ""
- fake_nsswitch_conf = Tempfile.new('ruby_test_nsswitch')
- real_nsswitch_conf.lines.reject { _1 =~ /^\s*hosts:/ }.each do |ln|
- fake_nsswitch_conf.puts ln
- end
- fake_nsswitch_conf.puts "hosts: files myhostname dns"
- fake_nsswitch_conf.flush
-
- # This is needed to make sure our bind-mounds aren't visible outside this process.
- system 'mount', '--make-rprivate', '/', exception: true
- # Bind-mount the fake files over the top of the real files.
- system 'mount', '--bind', '--make-private', fake_hosts_file.path, '/etc/hosts', exception: true
- system 'mount', '--bind', '--make-private', fake_resolv_conf.path, '/etc/resolv.conf', exception: true
- system 'mount', '--bind', '--make-private', fake_nsswitch_conf.path, '/etc/nsswitch.conf', exception: true
-
- # Create a dummy interface with only an IPv4 address
- system 'ip', 'link', 'add', 'dummy0', 'type', 'dummy', exception: true
- system 'ip', 'addr', 'add', '192.168.1.2/24', 'dev', 'dummy0', exception: true
- system 'ip', 'link', 'set', 'dummy0', 'up', exception: true
- system 'ip', 'link', 'set', 'lo', 'up', exception: true
-
- # Disable IPv6 on this interface (this is needed to disable the link-local
- # IPv6 address)
- File.open('/proc/sys/net/ipv6/conf/dummy0/disable_ipv6', 'w') do |f|
- f.puts "1"
- end
-
- # Create a fake DNS server which will receive the DNS queries triggered by TCPSocket.new
- fake_dns_server_socket = UDPSocket.new
- fake_dns_server_socket.bind('127.0.0.1', 53)
- received_dns_queries = []
- fake_dns_server_thread = Thread.new do
- Socket.udp_server_loop_on([fake_dns_server_socket]) do |msg, msg_src|
- request = Resolv::DNS::Message.decode(msg)
- received_dns_queries << request
- response = request.dup.tap do |r|
- r.qr = 0
- r.rcode = 3 # NXDOMAIN
- end
- msg_src.reply response.encode
- end
- end
-
- # Make a request which will hit our fake DNS swerver - this needs to be in _another_
- # process because glibc will cache resolver info across the fork otherwise.
- load_path_args = $LOAD_PATH.flat_map { ['-I', _1] }
- Open3.capture3('/proc/self/exe', *load_path_args, '-rsocket', '-e', <<~RUBY)
- TCPSocket.open('www.example.com', 4444)
- RUBY
-
- fake_dns_server_thread.kill
- fake_dns_server_thread.join
-
- have_aaaa_qs = received_dns_queries.any? do |query|
- query.question.any? do |question|
- question[1] == Resolv::DNS::Resource::IN::AAAA
- end
- end
-
- have_a_q = received_dns_queries.any? do |query|
- query.question.any? do |question|
- question[0].to_s == "www.example.com"
- end
- end
-
- if have_aaaa_qs
- $stdout.write(Marshal.dump({result: :fail, reason: "got AAAA queries, expected none"}))
- elsif !have_a_q
- $stdout.write(Marshal.dump({result: :fail, reason: "got no A query for example.com"}))
- else
- $stdout.write(Marshal.dump({result: :success}))
- end
- rescue => ex
- $stdout.write(Marshal.dump({result: :fail, reason: ex.full_message}))
- ensure
- # Make sure the child process does not transfer control back into the test runner.
- exit!
- end
- else
- test_result = Marshal.load(test_io.read)
-
- case test_result[:result]
- when :skip
- omit test_result[:reason]
- when :fail
- fail test_result[:reason]
- end
- end
- end
- end
end if defined?(TCPSocket)
--
2.43.0

39
ruby-3.4.0-fix-branch-protection-compilation-for-arm.patch
View File

@ -1,39 +1,7 @@
From 8af8f327457738620d2c85bd65db8cc5594585db Mon Sep 17 00:00:00 2001
From: Yuta Saito <kateinoigakukun@gmail.com>
Date: Wed, 27 Dec 2023 06:22:45 +0000
Subject: [PATCH 1/2] [Bug #20085] Use consistent default options for
`-mbranch-protection`
We need to use the same options for both C compiler and assembler
when `-mbranch-protection` is guessed by configure. Otherwise,
`coroutine/arm64/Context.{h,S}` will use incompatible PAC strategies.
---
configure.ac | 3 +++
1 file changed, 3 insertions(+)
diff --git a/configure.ac b/configure.ac
index 9286946fc1..18b4247991 100644
--- a/configure.ac
+++ b/configure.ac
@@ -830,7 +830,10 @@ AS_IF([test "$GCC" = yes], [
AS_FOR(option, opt, [-mbranch-protection=pac-ret -msign-return-address=all], [
RUBY_TRY_CFLAGS(option, [branch_protection=yes], [branch_protection=no])
AS_IF([test "x$branch_protection" = xyes], [
+ # C compiler and assembler must be consistent for -mbranch-protection
+ # since they both check `__ARM_FEATURE_PAC_DEFAULT` definition.
RUBY_APPEND_OPTION(XCFLAGS, option)
+ RUBY_APPEND_OPTION(ASFLAGS, option)
break
])
])
--
2.43.0
From 80281e14e411e8e5fe4955effbb2c650a2f52667 Mon Sep 17 00:00:00 2001
From db4ba95bf12f9303e38a9a78979cd363cb9a19fb Mon Sep 17 00:00:00 2001
From: Jarek Prokop <jprokop@redhat.com>
Date: Fri, 12 Jan 2024 18:33:34 +0100
Subject: [PATCH 2/2] aarch64: Prepend -mbranch-protection=standard option when
Subject: [PATCH] aarch64: Prepend -mbranch-protection=standard option when
checking branch protection.
Related Upstream issue: https://bugs.ruby-lang.org/issues/20154
@ -54,6 +22,3 @@ index 18b4247991..5ea8ada8f7 100644
RUBY_TRY_CFLAGS(option, [branch_protection=yes], [branch_protection=no])
AS_IF([test "x$branch_protection" = xyes], [
# C compiler and assembler must be consistent for -mbranch-protection
--
2.43.0

256
ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
View File

@ -1,256 +0,0 @@
From d3933fc753187a055a4904af82f5f3794c88c416 Mon Sep 17 00:00:00 2001
From: Sorah Fukumori <her@sorah.jp>
Date: Mon, 1 Jan 2024 20:45:54 +0900
Subject: [PATCH] [ruby/net-http] Renew test certificates
The private key is replaced with a public known test key published at
[RFC 9500].
Also lifetime has been extended to 10 years from 4 years.
[RFC 9500]: https://www.rfc-editor.org/rfc/rfc9500.html
https://github.com/ruby/net-http/commit/4ab6c4a500
---
test/net/fixtures/Makefile | 6 +--
test/net/fixtures/cacert.pem | 44 ++++++++--------
test/net/fixtures/server.crt | 99 +++++++-----------------------------
test/net/fixtures/server.key | 55 ++++++++++----------
4 files changed, 71 insertions(+), 133 deletions(-)
diff --git a/test/net/fixtures/Makefile b/test/net/fixtures/Makefile
index b2bc9c7368ee2..88c232e3b6c16 100644
--- a/test/net/fixtures/Makefile
+++ b/test/net/fixtures/Makefile
@@ -5,11 +5,11 @@ regen_certs:
make server.crt
cacert.pem: server.key
- openssl req -new -x509 -days 1825 -key server.key -out cacert.pem -text -subj "/C=JP/ST=Shimane/L=Matz-e city/O=Ruby Core Team/CN=Ruby Test CA/emailAddress=security@ruby-lang.org"
+ openssl req -new -x509 -days 3650 -key server.key -out cacert.pem -subj "/C=JP/ST=Shimane/L=Matz-e city/O=Ruby Core Team/CN=Ruby Test CA/emailAddress=security@ruby-lang.org"
server.csr:
- openssl req -new -key server.key -out server.csr -text -subj "/C=JP/ST=Shimane/O=Ruby Core Team/OU=Ruby Test/CN=localhost"
+ openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Shimane/O=Ruby Core Team/OU=Ruby Test/CN=localhost"
server.crt: server.csr cacert.pem
- openssl x509 -days 1825 -CA cacert.pem -CAkey server.key -set_serial 00 -in server.csr -req -text -out server.crt
+ openssl x509 -days 3650 -CA cacert.pem -CAkey server.key -set_serial 00 -in server.csr -req -out server.crt
rm server.csr
diff --git a/test/net/fixtures/cacert.pem b/test/net/fixtures/cacert.pem
index f623bd62ed375..24c83f1c65225 100644
--- a/test/net/fixtures/cacert.pem
+++ b/test/net/fixtures/cacert.pem
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
-MIID7TCCAtWgAwIBAgIJAIltvxrFAuSnMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
-VQQGEwJKUDEQMA4GA1UECAwHU2hpbWFuZTEUMBIGA1UEBwwLTWF0ei1lIGNpdHkx
-FzAVBgNVBAoMDlJ1YnkgQ29yZSBUZWFtMRUwEwYDVQQDDAxSdWJ5IFRlc3QgQ0Ex
-JTAjBgkqhkiG9w0BCQEWFnNlY3VyaXR5QHJ1YnktbGFuZy5vcmcwHhcNMTkwMTAy
-MDI1ODI4WhcNMjQwMTAxMDI1ODI4WjCBjDELMAkGA1UEBhMCSlAxEDAOBgNVBAgM
-B1NoaW1hbmUxFDASBgNVBAcMC01hdHotZSBjaXR5MRcwFQYDVQQKDA5SdWJ5IENv
-cmUgVGVhbTEVMBMGA1UEAwwMUnVieSBUZXN0IENBMSUwIwYJKoZIhvcNAQkBFhZz
-ZWN1cml0eUBydWJ5LWxhbmcub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAznlbjRVhz1NlutHVrhcGnK8W0qug2ujKXv1njSC4U6nJF6py7I9EeehV
-SaKePyv+I9z3K1LnfUHOtUbdwdKC77yN66A6q2aqzu5q09/NSykcZGOIF0GuItYI
-3nvW3IqBddff2ffsyR+9pBjfb5AIPP08WowF9q4s1eGULwZc4w2B8PFhtxYANd7d
-BvGLXFlcufv9tDtzyRi4t7eqxCRJkZQIZNZ6DHHIJrNxejOILfHLarI12yk8VK6L
-2LG4WgGqyeePiRyd1o1MbuiAFYqAwpXNUbRKg5NaZGwBHZk8UZ+uFKt1QMBURO5R
-WFy1c349jbWszTqFyL4Lnbg9HhAowQIDAQABo1AwTjAdBgNVHQ4EFgQU9tEiKdU9
-I9derQyc5nWPnc34nVMwHwYDVR0jBBgwFoAU9tEiKdU9I9derQyc5nWPnc34nVMw
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAxj7F/u3C3fgq24N7hGRA
-of7ClFQxGmo/IGT0AISzW3HiVYiFaikKhbO1NwD9aBpD8Zwe62sCqMh8jGV/b0+q
-aOORnWYNy2R6r9FkASAglmdF6xn3bhgGD5ls4pCvcG9FynGnGc24g6MrjFNrBYUS
-2iIZsg36i0IJswo/Dy6HLphCms2BMCD3DeWtfjePUiTmQHJo6HsQIKP/u4N4Fvee
-uMBInei2M4VU74fLXbmKl1F9AEX7JDP3BKSZG19Ch5pnUo4uXM1uNTGsi07P4Y0s
-K44+SKBC0bYEFbDK0eQWMrX3kIhkPxyIWhxdq9/NqPYjShuSEAhA6CSpmRg0pqc+
-mA==
+MIID+zCCAuOgAwIBAgIUGMvHl3EhtKPKcgc3NQSAYfFuC+8wDQYJKoZIhvcNAQEL
+BQAwgYwxCzAJBgNVBAYTAkpQMRAwDgYDVQQIDAdTaGltYW5lMRQwEgYDVQQHDAtN
+YXR6LWUgY2l0eTEXMBUGA1UECgwOUnVieSBDb3JlIFRlYW0xFTATBgNVBAMMDFJ1
+YnkgVGVzdCBDQTElMCMGCSqGSIb3DQEJARYWc2VjdXJpdHlAcnVieS1sYW5nLm9y
+ZzAeFw0yNDAxMDExMTQ3MjNaFw0zMzEyMjkxMTQ3MjNaMIGMMQswCQYDVQQGEwJK
+UDEQMA4GA1UECAwHU2hpbWFuZTEUMBIGA1UEBwwLTWF0ei1lIGNpdHkxFzAVBgNV
+BAoMDlJ1YnkgQ29yZSBUZWFtMRUwEwYDVQQDDAxSdWJ5IFRlc3QgQ0ExJTAjBgkq
+hkiG9w0BCQEWFnNlY3VyaXR5QHJ1YnktbGFuZy5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCw+egZQ6eumJKq3hfKfED4dE/tL4FI5sjqont9ABVI
++1GSqyi1bFBgsRjM0THllIdMbKmJtWwnKW8J+5OgNN8y6Xxv8JmM/Y5vQt2lis0f
+qXmG8UTz0VTWdlAXXmhUs6lSADvAaIe4RVrCsZ97L3ZQTryY7JRVcbB4khUN3Gp0
+yg+801SXzoFTTa+UGIRLE66jH51aa5VXu99hnv1OiH8tQrjdi8mH6uG/icq4XuIe
+NWMF32wHqIOOPvQcWV3M5D2vxJEj702Ku6k9OQXkAo17qRSEonWW4HtLbtmS8He1
+JNPc/n3dVUm+fM6NoDXPoLP7j55G9zKyqGtGAWXAj1MTAgMBAAGjUzBRMB0GA1Ud
+DgQWBBSJGVleDvFp9cu9R+E0/OKYzGkwkTAfBgNVHSMEGDAWgBSJGVleDvFp9cu9
+R+E0/OKYzGkwkTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBl
+8GLB8skAWlkSw/FwbUmEV3zyqu+p7PNP5YIYoZs0D74e7yVulGQ6PKMZH5hrZmHo
+orFSQU+VUUirG8nDGj7Rzce8WeWBxsaDGC8CE2dq6nC6LuUwtbdMnBrH0LRWAz48
+jGFF3jHtVz8VsGfoZTZCjukWqNXvU6hETT9GsfU+PZqbqcTVRPH52+XgYayKdIbD
+r97RM4X3+aXBHcUW0b76eyyi65RR/Xtvn8ioZt2AdX7T2tZzJyXJN3Hupp77s6Ui
+AZR35SToHCZeTZD12YBvLBdaTPLZN7O/Q/aAO9ZiJaZ7SbFOjz813B2hxXab4Fob
+2uJX6eMWTVxYK5D4M9lm
-----END CERTIFICATE-----
diff --git a/test/net/fixtures/server.crt b/test/net/fixtures/server.crt
index 5ca78a6d146a0..5d2923795dabc 100644
--- a/test/net/fixtures/server.crt
+++ b/test/net/fixtures/server.crt
@@ -1,82 +1,21 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 2 (0x2)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C=JP, ST=Shimane, L=Matz-e city, O=Ruby Core Team, CN=Ruby Test CA/emailAddress=security@ruby-lang.org
- Validity
- Not Before: Jan 2 03:27:13 2019 GMT
- Not After : Jan 1 03:27:13 2024 GMT
- Subject: C=JP, ST=Shimane, O=Ruby Core Team, OU=Ruby Test, CN=localhost
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:e8:da:9c:01:2e:2b:10:ec:49:cd:5e:07:13:07:
- 9c:70:9e:c6:74:bc:13:c2:e1:6f:c6:82:fd:e3:48:
- e0:2c:a5:68:c7:9e:42:de:60:54:65:e6:6a:14:57:
- 7a:30:d0:cc:b5:b6:d9:c3:d2:df:c9:25:97:54:67:
- cf:f6:be:5e:cb:8b:ee:03:c5:e1:e2:f9:e7:f7:d1:
- 0c:47:f0:b8:da:33:5a:ad:41:ad:e7:b5:a2:7b:b7:
- bf:30:da:60:f8:e3:54:a2:bc:3a:fd:1b:74:d9:dc:
- 74:42:e9:29:be:df:ac:b4:4f:eb:32:f4:06:f1:e1:
- 8c:4b:a8:8b:fb:29:e7:b1:bf:1d:01:ee:73:0f:f9:
- 40:dc:d5:15:79:d9:c6:73:d0:c0:dd:cb:e4:da:19:
- 47:80:c6:14:04:72:fd:9a:7c:8f:11:82:76:49:04:
- 79:cc:f2:5c:31:22:95:13:3e:5d:40:a6:4d:e0:a3:
- 02:26:7d:52:3b:bb:ed:65:a1:0f:ed:6b:b0:3c:d4:
- de:61:15:5e:d3:dd:68:09:9f:4a:57:a5:c2:a9:6d:
- 86:92:c5:f4:a4:d4:b7:13:3b:52:63:24:05:e2:cc:
- e3:8a:3c:d4:35:34:2b:10:bb:58:72:e7:e1:8d:1d:
- 74:8c:61:16:20:3d:d0:1c:4e:8f:6e:fd:fe:64:10:
- 4f:41
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- ED:28:C2:7E:AB:4B:C8:E8:FE:55:6D:66:95:31:1C:2D:60:F9:02:36
- X509v3 Authority Key Identifier:
- keyid:F6:D1:22:29:D5:3D:23:D7:5E:AD:0C:9C:E6:75:8F:9D:CD:F8:9D:53
-
- Signature Algorithm: sha256WithRSAEncryption
- 1d:b8:c5:8b:72:41:20:65:ad:27:6f:15:63:06:26:12:8d:9c:
- ad:ca:f4:db:97:b4:90:cb:ff:35:94:bb:2a:a7:a1:ab:1e:35:
- 2d:a5:3f:c9:24:b0:1a:58:89:75:3e:81:0a:2c:4f:98:f9:51:
- fb:c0:a3:09:d0:0a:9b:e7:a2:b7:c3:60:40:c8:f4:6d:b2:6a:
- 56:12:17:4c:00:24:31:df:9c:60:ae:b1:68:54:a9:e6:b5:4a:
- 04:e6:92:05:86:d9:5a:dc:96:30:a5:58:de:14:99:0f:e5:15:
- 89:3e:9b:eb:80:e3:bd:83:c3:ea:33:35:4b:3e:2f:d3:0d:64:
- 93:67:7f:8d:f5:3f:0c:27:bc:37:5a:cc:d6:47:16:af:5a:62:
- d2:da:51:f8:74:06:6b:24:ad:28:68:08:98:37:7d:ed:0e:ab:
- 1e:82:61:05:d0:ba:75:a0:ab:21:b0:9a:fd:2b:54:86:1d:0d:
- 1f:c2:d4:77:1f:72:26:5e:ad:8a:9f:09:36:6d:44:be:74:c2:
- 5a:3e:ff:5c:9d:75:d6:38:7b:c5:39:f9:44:6e:a1:d1:8e:ff:
- 63:db:c4:bb:c6:91:92:ca:5c:60:9b:1d:eb:0a:de:08:ee:bf:
- da:76:03:65:62:29:8b:f8:7f:c7:86:73:1e:f6:1f:2d:89:69:
- fd:be:bd:6e
-----BEGIN CERTIFICATE-----
-MIID4zCCAsugAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSlAx
-EDAOBgNVBAgMB1NoaW1hbmUxFDASBgNVBAcMC01hdHotZSBjaXR5MRcwFQYDVQQK
-DA5SdWJ5IENvcmUgVGVhbTEVMBMGA1UEAwwMUnVieSBUZXN0IENBMSUwIwYJKoZI
-hvcNAQkBFhZzZWN1cml0eUBydWJ5LWxhbmcub3JnMB4XDTE5MDEwMjAzMjcxM1oX
-DTI0MDEwMTAzMjcxM1owYDELMAkGA1UEBhMCSlAxEDAOBgNVBAgMB1NoaW1hbmUx
-FzAVBgNVBAoMDlJ1YnkgQ29yZSBUZWFtMRIwEAYDVQQLDAlSdWJ5IFRlc3QxEjAQ
-BgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AOjanAEuKxDsSc1eBxMHnHCexnS8E8Lhb8aC/eNI4CylaMeeQt5gVGXmahRXejDQ
-zLW22cPS38kll1Rnz/a+XsuL7gPF4eL55/fRDEfwuNozWq1Bree1onu3vzDaYPjj
-VKK8Ov0bdNncdELpKb7frLRP6zL0BvHhjEuoi/sp57G/HQHucw/5QNzVFXnZxnPQ
-wN3L5NoZR4DGFARy/Zp8jxGCdkkEeczyXDEilRM+XUCmTeCjAiZ9Uju77WWhD+1r
-sDzU3mEVXtPdaAmfSlelwqlthpLF9KTUtxM7UmMkBeLM44o81DU0KxC7WHLn4Y0d
-dIxhFiA90BxOj279/mQQT0ECAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC
-AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFO0o
-wn6rS8jo/lVtZpUxHC1g+QI2MB8GA1UdIwQYMBaAFPbRIinVPSPXXq0MnOZ1j53N
-+J1TMA0GCSqGSIb3DQEBCwUAA4IBAQAduMWLckEgZa0nbxVjBiYSjZytyvTbl7SQ
-y/81lLsqp6GrHjUtpT/JJLAaWIl1PoEKLE+Y+VH7wKMJ0Aqb56K3w2BAyPRtsmpW
-EhdMACQx35xgrrFoVKnmtUoE5pIFhtla3JYwpVjeFJkP5RWJPpvrgOO9g8PqMzVL
-Pi/TDWSTZ3+N9T8MJ7w3WszWRxavWmLS2lH4dAZrJK0oaAiYN33tDqsegmEF0Lp1
-oKshsJr9K1SGHQ0fwtR3H3ImXq2Knwk2bUS+dMJaPv9cnXXWOHvFOflEbqHRjv9j
-28S7xpGSylxgmx3rCt4I7r/adgNlYimL+H/HhnMe9h8tiWn9vr1u
+MIIDYTCCAkkCAQAwDQYJKoZIhvcNAQELBQAwgYwxCzAJBgNVBAYTAkpQMRAwDgYD
+VQQIDAdTaGltYW5lMRQwEgYDVQQHDAtNYXR6LWUgY2l0eTEXMBUGA1UECgwOUnVi
+eSBDb3JlIFRlYW0xFTATBgNVBAMMDFJ1YnkgVGVzdCBDQTElMCMGCSqGSIb3DQEJ
+ARYWc2VjdXJpdHlAcnVieS1sYW5nLm9yZzAeFw0yNDAxMDExMTQ3MjNaFw0zMzEy
+MjkxMTQ3MjNaMGAxCzAJBgNVBAYTAkpQMRAwDgYDVQQIDAdTaGltYW5lMRcwFQYD
+VQQKDA5SdWJ5IENvcmUgVGVhbTESMBAGA1UECwwJUnVieSBUZXN0MRIwEAYDVQQD
+DAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw+egZ
+Q6eumJKq3hfKfED4dE/tL4FI5sjqont9ABVI+1GSqyi1bFBgsRjM0THllIdMbKmJ
+tWwnKW8J+5OgNN8y6Xxv8JmM/Y5vQt2lis0fqXmG8UTz0VTWdlAXXmhUs6lSADvA
+aIe4RVrCsZ97L3ZQTryY7JRVcbB4khUN3Gp0yg+801SXzoFTTa+UGIRLE66jH51a
+a5VXu99hnv1OiH8tQrjdi8mH6uG/icq4XuIeNWMF32wHqIOOPvQcWV3M5D2vxJEj
+702Ku6k9OQXkAo17qRSEonWW4HtLbtmS8He1JNPc/n3dVUm+fM6NoDXPoLP7j55G
+9zKyqGtGAWXAj1MTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACtGNdj5TEtnJBYp
+M+LhBeU3oNteldfycEm993gJp6ghWZFg23oX8fVmyEeJr/3Ca9bAgDqg0t9a0npN
+oWKEY6wVKqcHgu3gSvThF5c9KhGbeDDmlTSVVNQmXWX0K2d4lS2cwZHH8mCm2mrY
+PDqlEkSc7k4qSiqigdS8i80Yk+lDXWsm8CjsiC93qaRM7DnS0WPQR0c16S95oM6G
+VklFKUSDAuFjw9aVWA/nahOucjn0w5fVW6lyIlkBslC1ChlaDgJmvhz+Ol3iMsE0
+kAmFNu2KKPVrpMWaBID49QwQTDyhetNLaVVFM88iUdA9JDoVMEuP1mm39JqyzHTu
+uBrdP4Q=
-----END CERTIFICATE-----
diff --git a/test/net/fixtures/server.key b/test/net/fixtures/server.key
index 7f2380e71e637..6a83d5bcf4a52 100644
--- a/test/net/fixtures/server.key
+++ b/test/net/fixtures/server.key
@@ -1,28 +1,27 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDo2pwBLisQ7EnN
-XgcTB5xwnsZ0vBPC4W/Ggv3jSOAspWjHnkLeYFRl5moUV3ow0My1ttnD0t/JJZdU
-Z8/2vl7Li+4DxeHi+ef30QxH8LjaM1qtQa3ntaJ7t78w2mD441SivDr9G3TZ3HRC
-6Sm+36y0T+sy9Abx4YxLqIv7Keexvx0B7nMP+UDc1RV52cZz0MDdy+TaGUeAxhQE
-cv2afI8RgnZJBHnM8lwxIpUTPl1Apk3gowImfVI7u+1loQ/ta7A81N5hFV7T3WgJ
-n0pXpcKpbYaSxfSk1LcTO1JjJAXizOOKPNQ1NCsQu1hy5+GNHXSMYRYgPdAcTo9u
-/f5kEE9BAgMBAAECggEBAOHkwhc7DLh8IhTDNSW26oMu5OP2WU1jmiYAigDmf+OQ
-DBgrZj+JQBci8qINQxL8XLukSZn5hvQCLc7Kbyu1/wyEEUFDxSGGwwzclodr9kho
-LX2LDASPZrOSzD2+fPi2wTKmXKuS6Uc44OjQfZkYMNkz9r4Vkm8xGgOD3VipjIYX
-QXlhhdqkXZcNABsihCV52GKkDFSVm8jv95YJc5xhoYCy/3a4/qPdF0aT2R7oYUej
-hKrxVDskyooe8Zg/JTydZNV5GQEDmW01/K3r6XGT26oPi1AqMU1gtv/jkW56CRQQ
-1got8smnqM+AV7Slf9R6DauIPdQJ2S8wsr/o8ISBsOECgYEA9YrqEP2gAYSGFXRt
-liw0WI2Ant8BqXS6yvq1jLo/qWhLw/ph4Di73OQ2mpycVTpgfGr2wFPQR1XJ+0Fd
-U+Ir/C3Q7FK4VIGHK7B0zNvZr5tEjlFfeRezo2JMVw5YWeSagIFcSwK+KqCTH9qc
-pw/Eb8nB/4XNcpTZu7Fg0Wc+ooUCgYEA8sVaicn1Wxkpb45a4qfrA6wOr5xdJ4cC
-A5qs7vjX2OdPIQOmoQhdI7bCWFXZzF33wA4YCws6j5wRaySLIJqdms8Gl9QnODy1
-ZlA5gwKToBC/jqPmWAXSKb8EH7cHilaxU9OKnQ7CfwlGLHqjMtjrhR7KHlt3CVRs
-oRmvsjZVXI0CgYAmPedslAO6mMhFSSfULrhMXmV82OCqYrrA6EEkVNGbcdnzAOkD
-gfKIWabDd8bFY10po4Mguy0CHzNhBXIioWQWV5BlbhC1YKMLw+S9DzSdLAKGY9gJ
-xQ4+UQ3wtRQ/k+IYR413RUsW2oFvgZ3KSyNeAb9MK6uuv84VdG/OzVSs/QKBgQDn
-kap//l2EbObiWyaERunckdVcW0lcN+KK75J/TGwPoOwQsLvTpPe65kxRGGrtDsEQ
-uCDk/+v3KkZPLgdrrTAih9FhJ+PVN8tMcb+6IM4SA4fFFr/UPJEwct0LJ3oQ0grJ
-y+HPWFHb/Uurh7t99/4H98uR02sjQh1wOeEmm78mzQKBgQDm+LzGH0se6CXQ6cdZ
-g1JRZeXkDEsrW3hfAsW62xJQmXcWxBoblP9OamMY+A06rM5og3JbDk5Zm6JsOaA8
-wS2gw4ilp46jors4eQey8ux7kB9LzdBoDBBElnsbjLO8oBNZlVcYXg+6BOl/CUi7
-2whRF0FEjKA8ehrNhAq+VFfFNw==
------END PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAsPnoGUOnrpiSqt4XynxA+HRP7S+BSObI6qJ7fQAVSPtRkqso
+tWxQYLEYzNEx5ZSHTGypibVsJylvCfuToDTfMul8b/CZjP2Ob0LdpYrNH6l5hvFE
+89FU1nZQF15oVLOpUgA7wGiHuEVawrGfey92UE68mOyUVXGweJIVDdxqdMoPvNNU
+l86BU02vlBiESxOuox+dWmuVV7vfYZ79Toh/LUK43YvJh+rhv4nKuF7iHjVjBd9s
+B6iDjj70HFldzOQ9r8SRI+9NirupPTkF5AKNe6kUhKJ1luB7S27ZkvB3tSTT3P59
+3VVJvnzOjaA1z6Cz+4+eRvcysqhrRgFlwI9TEwIDAQABAoIBAEEYiyDP29vCzx/+
+dS3LqnI5BjUuJhXUnc6AWX/PCgVAO+8A+gZRgvct7PtZb0sM6P9ZcLrweomlGezI
+FrL0/6xQaa8bBr/ve/a8155OgcjFo6fZEw3Dz7ra5fbSiPmu4/b/kvrg+Br1l77J
+aun6uUAs1f5B9wW+vbR7tzbT/mxaUeDiBzKpe15GwcvbJtdIVMa2YErtRjc1/5B2
+BGVXyvlJv0SIlcIEMsHgnAFOp1ZgQ08aDzvilLq8XVMOahAhP1O2A3X8hKdXPyrx
+IVWE9bS9ptTo+eF6eNl+d7htpKGEZHUxinoQpWEBTv+iOoHsVunkEJ3vjLP3lyI/
+fY0NQ1ECgYEA3RBXAjgvIys2gfU3keImF8e/TprLge1I2vbWmV2j6rZCg5r/AS0u
+pii5CvJ5/T5vfJPNgPBy8B/yRDs+6PJO1GmnlhOkG9JAIPkv0RBZvR0PMBtbp6nT
+Y3yo1lwamBVBfY6rc0sLTzosZh2aGoLzrHNMQFMGaauORzBFpY5lU50CgYEAzPHl
+u5DI6Xgep1vr8QvCUuEesCOgJg8Yh1UqVoY/SmQh6MYAv1I9bLGwrb3WW/7kqIoD
+fj0aQV5buVZI2loMomtU9KY5SFIsPV+JuUpy7/+VE01ZQM5FdY8wiYCQiVZYju9X
+Wz5LxMNoz+gT7pwlLCsC4N+R8aoBk404aF1gum8CgYAJ7VTq7Zj4TFV7Soa/T1eE
+k9y8a+kdoYk3BASpCHJ29M5R2KEA7YV9wrBklHTz8VzSTFTbKHEQ5W5csAhoL5Fo
+qoHzFFi3Qx7MHESQb9qHyolHEMNx6QdsHUn7rlEnaTTyrXh3ifQtD6C0yTmFXUIS
+CW9wKApOrnyKJ9nI0HcuZQKBgQCMtoV6e9VGX4AEfpuHvAAnMYQFgeBiYTkBKltQ
+XwozhH63uMMomUmtSG87Sz1TmrXadjAhy8gsG6I0pWaN7QgBuFnzQ/HOkwTm+qKw
+AsrZt4zeXNwsH7QXHEJCFnCmqw9QzEoZTrNtHJHpNboBuVnYcoueZEJrP8OnUG3r
+UjmopwKBgAqB2KYYMUqAOvYcBnEfLDmyZv9BTVNHbR2lKkMYqv5LlvDaBxVfilE0
+2riO4p6BaAdvzXjKeRrGNEKoHNBpOSfYCOM16NjL8hIZB1CaV3WbT5oY+jp7Mzd5
+7d56RZOE+ERK2uz/7JX9VSsM/LbH9pJibd4e8mikDS9ntciqOH/3
+-----END RSA PRIVATE KEY-----

148
ruby.spec
View File

@ -1,6 +1,6 @@
%global major_version 3
%global minor_version 3
%global teeny_version 0
%global teeny_version 1
%global major_minor_version %{major_version}.%{minor_version}
%global ruby_version %{major_minor_version}.%{teeny_version}
@ -27,7 +27,7 @@
%global rubygems_dir %{_datadir}/rubygems
# Bundled libraries versions
%global rubygems_version 3.5.3
%global rubygems_version 3.5.9
%global rubygems_molinillo_version 0.8.0
%global rubygems_net_http_version 0.4.0
%global rubygems_net_protocol_version 0.2.2
@ -35,9 +35,10 @@
%global rubygems_resolv_version 0.3.0
%global rubygems_timeout_version 0.4.1
%global rubygems_tsort_version 0.2.0
%global rubygems_uri_version 0.13.0
# Default gems.
%global bundler_version 2.5.3
%global bundler_version 2.5.9
%global bundler_connection_pool_version 2.4.1
%global bundler_fileutils_version 1.7.2
%global bundler_net_http_persistent_version 4.0.2
@ -71,7 +72,7 @@
%global ipaddr_version 1.2.6
%global logger_version 1.6.0
%global mutex_m_version 0.2.0
%global net_http_version 0.4.0
%global net_http_version 0.4.1
%global net_protocol_version 0.2.2
%global nkf_version 0.1.3
%global observer_version 0.1.2
@ -117,14 +118,14 @@
%global irb_version 1.11.0
%global json_version 2.7.1
%global psych_version 5.1.2
%global rdoc_version 6.6.2
%global rdoc_version 6.6.3.1
# Bundled gems.
%global debug_version 1.9.1
%global net_ftp_version 0.3.3
%global net_imap_version 0.4.9
%global net_ftp_version 0.3.4
%global net_imap_version 0.4.9.1
%global net_pop_version 0.1.2
%global net_smtp_version 0.4.0
%global net_smtp_version 0.4.0.1
%global matrix_version 0.4.2
%global minitest_version 5.20.0
%global power_assert_version 2.0.3
@ -137,6 +138,9 @@
%global test_unit_version 3.6.1
%global typeprof_version 0.21.9
# Bundled nkf version
%global bundled_nkf_version 2.1.5
%global tapset_libdir %(echo %{_libdir} | sed 's/64//')*
%if 0%{?fedora} >= 19
@ -163,14 +167,49 @@
Summary: An interpreter of object-oriented scripting language
Name: ruby
Version: %{ruby_version}%{?development_release}
Release: 1%{?dist}
# BSD-3-Clause: missing/{crypt,mt19937,setproctitle}.c
Release: 2%{?dist}
# Licenses, which are likely not included in binary RPMs:
# Apache-2.0:
# benchmark/gc/redblack.rb
# But this file might be BSD-2-Clause licensed after all:
# https://bugs.ruby-lang.org/issues/20420
# GPL-1.0-or-later: ext/win32/lib/win32/sspi.rb
# GPL-1.0-or-later OR Artistic-1.0-Perl: win32/win32.c, include/ruby/win32.h,
# ext/win32ole/win32ole.c
#
# !!! Problematic licenses:
# LicenseRef-scancode-unicode-mappings: ext/json/generator/generator.c
# https://bugs.ruby-lang.org/issues/11844#note-19
# https://github.com/flori/json/issues/277
# https://github.com/flori/json/pull/567
#
# Licenses under review:
# .bundle/gems/net-imap-0.4.9/LICENSE.txt
# https://gitlab.com/fedora/legal/fedora-license-data/-/issues/506
#
# Approved license without SPDX identifier:
# ext/pty/pty.c
# https://gitlab.com/fedora/legal/fedora-license-data/-/issues/503
#
# BSD-3-Clause: missing/{crypt,mt19937,setproctitle}.c, addr2line.c:2652
# CC0: ccan/{build_assert/build_assert.h,check_type/check_type.h,
# container_of/container_of.h,str/str.h}
# Allowed based on 'grandfather clause':
# https://gitlab.com/fedora/legal/fedora-license-data/-/blob/7d9720b2cfd8ccb98d1975312942d99588a0da7c/data/CC0-1.0.toml#L11-14
# https://gitlab.com/fedora/legal/fedora-license-data/-/issues/499
# dtoa: missing/dtoa.c
# GPL-3.0-or-later WITH Bison-exception-2.2: parse.{c,h}, ext/ripper/ripper.c
# HPND-Markus-Kuhn: missing/langinfo.c
# ISC: missing/strl{cat,cpy}.c
# Public Domain for example for: include/ruby/st.h, strftime.c, missing/*, ...
# MIT and CCO: ccan/*
# zlib: ext/digest/md5/md5.*, ext/nkf/nkf-utf8/nkf.c
# LicenseRef-Fedora-Public-Domain: include/ruby/st.h, strftime.c, missing/*, ...
# https://gitlab.com/fedora/legal/fedora-license-data/-/merge_requests/145
# MIT: ccan/list/list.h
# Ruby OR BSD-2-Clause OR GPL-1.0-or-later: lib/net/protocol.rb
# Unicode-DFS-2015: some of enc/trans/**/*.src
License: (Ruby OR BSD-2-Clause) AND BSD-3-Clause AND ISC AND Public Domain AND MIT and CC0 AND zlib AND Unicode-DFS-2015
# There is also license review ticket here:
# https://gitlab.com/fedora/legal/fedora-license-data/-/issues/500
# zlib: ext/digest/md5/md5.*, ext/nkf/nkf-utf8/nkf.c
License: (Ruby OR BSD-2-Clause) AND (Ruby OR BSD-2-Clause OR GPL-1.0-or-later) AND BSD-3-Clause AND (GPL-3.0-or-later WITH Bison-exception-2.2) AND ISC AND LicenseRef-Fedora-Public-Domain AND MIT AND CC0 AND zlib AND Unicode-DFS-2015 AND HPND-Markus-Kuhn
URL: https://www.ruby-lang.org/
Source0: https://cache.ruby-lang.org/pub/%{name}/%{major_minor_version}/%{ruby_archive}.tar.xz
Source1: operating_system.rb
@ -231,26 +270,13 @@ Patch9: ruby-3.3.0-Disable-syntax-suggest-test-case.patch
# Revert patches causing segfaults in alexandria package.
# https://bugs.ruby-lang.org/issues/20079
Patch10: ruby-3.3.0-Revert-Optimize-allocations-in-Hash-compare_by_identity.patch
# Fix net-http test errors due to expired certificate
# https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416
# https://bugs.ruby-lang.org/issues/20106
Patch11: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
# Armv8.3+ capable CPUs might segfault with incorrect compilation options.
# See related upstream report: https://bugs.ruby-lang.org/issues/20085
# https://bugs.ruby-lang.org/issues/20154
Patch12: ruby-3.4.0-fix-branch-protection-compilation-for-arm.patch
# Revert adding AI_ADDRCONFIG flag to getaddrinfo(3) calls.
# It is causing problems when network is in certain, valid, configuration.
# When loopback interface is IPv6 capable, but no regular network interface
# is IPv6 capable, in some situations (such as in TestNetHTTPLocalBind)
# this might result in creating IPv4 socket and then binding it
# to IPv6 family connection.
# That is incorrect behavior and such operation will result in
# Errno::EAFNOSUPPORT exception.
# The point of the upstream change is to workaround a glibc bug
# that is not present for us. Therefore we can safely revert the change.
# https://bugs.ruby-lang.org/issues/20208
Patch13: ruby-3.4.0-Revert-Set-AI_ADDRCONFIG-when-making-getaddrinfo.patch
# Fix build issue on i686 due to "incompatible pointer type" error.
# https://bugs.ruby-lang.org/issues/20447
Patch13: ruby-3.4.0-Fix-pointer-incompatiblity.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%{?with_rubypick:Suggests: rubypick}
@ -328,6 +354,11 @@ Provides: bundled(ccan-check_type)
Provides: bundled(ccan-container_of)
Provides: bundled(ccan-list)
# https://github.com/nurse/nkf
# Please note that nkf going to be promoted to bundled gem in Ruby 3.4:
# https://github.com/ruby/ruby/commit/2e3a7f70ae71650be6ea38a483f66ce17ca5eb1d
Provides: bundled(nkf) = %{bundled_nkf_version}
# StdLib default gems.
Provides: bundled(rubygem-did_you_mean) = %{did_you_mean_version}
Provides: bundled(rubygem-openssl) = %{openssl_version}
@ -350,7 +381,8 @@ Version: %{rubygems_version}
# lib/rubygems/timeout/
# lib/rubygems/tsort/
# MIT: lib/rubygems/resolver/molinillo
License: (Ruby OR MIT) AND BSD-2-Clause AND (BSD-2-Clause OR Ruby) AND MIT
# Ruby OR BSD-2-Clause OR GPL-1.0-or-later: lib/net/protocol.rb
License: (Ruby OR MIT) AND BSD-2-Clause AND (BSD-2-Clause OR Ruby) AND (Ruby OR BSD-2-Clause OR GPL-1.0-or-later) AND MIT
Requires: ruby(release)
Recommends: rubygem(bundler) >= %{bundler_version}
Recommends: rubygem(rdoc) >= %{rdoc_version}
@ -461,7 +493,8 @@ This package contains documentation for %{name}.
%package -n rubygem-bigdecimal
Summary: BigDecimal provides arbitrary-precision floating point decimal arithmetic
Version: %{bigdecimal_version}
License: Ruby OR BSD-2-Clause
# dtoa: missing/dtoa.c
License: (Ruby OR BSD-2-Clause) AND dtoa
Provides: bundled(rubygem-bigdecimal) = %{bigdecimal_version}
%description -n rubygem-bigdecimal
@ -716,7 +749,6 @@ analysis result in RBS format, a standard type description format for Ruby
%patch -P 6 -p1
%patch -P 9 -p1
%patch -P 10 -p1
%patch -P 11 -p1
%patch -P 12 -p1
%patch -P 13 -p1
@ -933,16 +965,16 @@ checksec --file=%{_vpath_builddir}/libruby.so.%{ruby_version} | \
# Molinillo.
make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
module Gem; module Resolver; end; end; \
require 'rubygems/resolver/molinillo/lib/molinillo/gem_metadata'; \
require 'rubygems/vendor/molinillo/lib/molinillo/gem_metadata'; \
puts '%%{rubygems_molinillo_version}: %{rubygems_molinillo_version}'; \
puts %Q[Gem::Resolver::Molinillo::VERSION: #{Gem::Resolver::Molinillo::VERSION}]; \
exit 1 if Gem::Resolver::Molinillo::VERSION != '%{rubygems_molinillo_version}'; \
puts %Q[Gem::Molinillo::VERSION: #{Gem::Molinillo::VERSION}]; \
exit 1 if Gem::Molinillo::VERSION != '%{rubygems_molinillo_version}'; \
\""
# Net::HTTP.
make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
module Gem; module Net; end; end; \
require 'rubygems/net-http/lib/net/http'; \
require 'rubygems/vendor/net-http/lib/net/http'; \
puts '%%{rubygems_net_http_version}: %{rubygems_net_http_version}'; \
puts %Q[Gem::Net::HTTP::VERSION: #{Gem::Net::HTTP::VERSION}]; \
exit 1 if Gem::Net::HTTP::VERSION != '%{rubygems_net_http_version}'; \
@ -951,7 +983,7 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
# Net::Protocol.
make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
module Gem; module Net; end; end; \
require 'rubygems/net-protocol/lib/net/protocol'; \
require 'rubygems/vendor/net-protocol/lib/net/protocol'; \
puts '%%{rubygems_net_protocol_version}: %{rubygems_net_protocol_version}'; \
puts %Q[Gem::Net::Protocol::VERSION: #{Gem::Net::Protocol::VERSION}]; \
exit 1 if Gem::Net::Protocol::VERSION != '%{rubygems_net_protocol_version}'; \
@ -960,7 +992,7 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
# OptParse.
make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
module Gem; end; \
require 'rubygems/optparse/lib/optparse'; \
require 'rubygems/vendor/optparse/lib/optparse'; \
puts '%%{rubygems_optparse_version}: %{rubygems_optparse_version}'; \
puts %Q[Gem::OptionParser::Version: #{Gem::OptionParser::Version}]; \
exit 1 if Gem::OptionParser::Version != '%{rubygems_optparse_version}'; \
@ -969,7 +1001,7 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
# Resolv.
make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
module Gem; end; \
require 'rubygems/resolv/lib/resolv'; \
require 'rubygems/vendor/resolv/lib/resolv'; \
puts '%%{rubygems_resolv_version}: %{rubygems_resolv_version}'; \
puts %Q[Gem::Resolv::VERSION: #{Gem::Resolv::VERSION}]; \
exit 1 if Gem::Resolv::VERSION != '%{rubygems_resolv_version}'; \
@ -978,7 +1010,7 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
# Timeout.
make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
module Gem; end; \
require 'rubygems/timeout/lib/timeout'; \
require 'rubygems/vendor/timeout/lib/timeout'; \
puts '%%{rubygems_timeout_version}: %{rubygems_timeout_version}'; \
puts %Q[Gem::Timeout::VERSION: #{Gem::Timeout::VERSION}]; \
exit 1 if Gem::Timeout::VERSION != '%{rubygems_timeout_version}'; \
@ -987,12 +1019,21 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
# TSort
make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
module Gem; end; \
require 'rubygems/tsort/lib/tsort'; \
require 'rubygems/vendor/tsort/lib/tsort'; \
puts '%%{rubygems_tsort_version}: %{rubygems_tsort_version}'; \
puts %Q[Gem::TSort::VERSION: #{Gem::TSort::VERSION}]; \
exit 1 if Gem::TSort::VERSION != '%{rubygems_tsort_version}'; \
\""
# URI.
make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
module Gem; end; \
require 'rubygems/vendor/uri/lib/uri/version'; \
puts '%%{rubygems_uri_version}: %{rubygems_uri_version}'; \
puts %Q[Gem::URI::VERSION: #{Gem::URI::VERSION}]; \
exit 1 if Gem::URI::VERSION != '%{rubygems_uri_version}'; \
\""
# Check Bundler bundled dependencies versions.
# connection_pool.
@ -1059,6 +1100,16 @@ make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
exit 1 if Bundler::URI::VERSION != '%{bundler_uri_version}'; \
\""
# Check bundled libraries versions.
# Nkf.
make -C %{_vpath_builddir} -s runruby TESTRUN_SCRIPT="-e \" \
require 'nkf'; \
puts '%%{bundled_nkf_version}: %{bundled_nkf_version}'; \
puts %Q[NKF::NKF_VERSION: #{NKF::NKF_VERSION}]; \
exit 1 if NKF::NKF_VERSION != '%{bundled_nkf_version}'; \
\""
# test_debug(TestRubyOptions) fails due to LoadError reported in debug mode,
# when abrt.rb cannot be required (seems to be easier way then customizing
@ -1673,6 +1724,19 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
%changelog
* Mon May 20 2024 Jarek Prokop <jprokop@redhat.com> - 3.3.1-2
- Upgrade to Ruby 3.3.1.
Resolves: RHEL-37446
- Fix buffer overread vulnerability in StringIO.
(CVE-2024-27280)
Resolves: RHEL-37448
- Fix RCE vulnerability with .rdoc_options in RDoc.
(CVE-2024-27281)
Resolves: RHEL-37449
- Fix Arbitrary memory address read vulnerability with Regex search.
(CVE-2024-27282)
Resolves: RHEL-37447
* Thu Jan 18 2024 Jarek Prokop <jprokop@redhat.com> - 3.3.0-1
- Upgrade to Ruby 3.3.0.
Resolves: RHEL-17090

2
sources
View File

@ -1 +1 @@
SHA512 (ruby-3.3.0.tar.xz) = 7959c5753bfa0bfc4d6d74060869aabbe9815c1c97930659da11b917ee0803ddbbd80e869e00c48b8694b4ba48709c3b6493fd045568e36e902616c35ababf01
SHA512 (ruby-3.3.1.tar.xz) = c58e9be9b5ab48191fbf7d67e13f0ec42ee71ed338170e0f7b246708e9cfc617ce65098f5ce7ab32d4305e785642d3e44253462104d5b9c4abcb1a4113f48347