rpms/ruby
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI ruby-3.0.7-166.el9_7

Browse Source
This commit is contained in:
Andrew Lukoshko 2026-05-19 19:01:09 +00:00
parent 87ae0a7ca0
commit 7a80435212
6 changed files with 247 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
SOURCES/ruby-3.3.1-Fix-test-session-reuse-but-expire.patch
View File

@ -1,28 +0,0 @@
From 1816c142a4d66a75c23ccf6fd89a06cbe422e34f Mon Sep 17 00:00:00 2001
From: "NARUSE, Yui" <nurse@users.noreply.github.com>
Date: Sat, 3 Feb 2024 22:35:44 +0900
Subject: [PATCH] Fix test session reuse but expire (#9824)
* OpenSSL 3.2.1 30 Jan 2024 is also broken
Import 45064610725ddd81a5ea3775da35aa46985bc789 from ruby_3_3 branch
tentatively.
---
test/net/http/test_https.rb | 1 +
1 file changed, 1 insertion(+)
diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
index 7b97e39586..aef748dfa0 100644
--- a/test/net/http/test_https.rb
+++ b/test/net/http/test_https.rb
@@ -178,6 +178,7 @@ def test_session_reuse
def test_session_reuse_but_expire
# FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/
+ omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('OpenSSL 3.2.')
http = Net::HTTP.new("localhost", config("port"))
http.use_ssl = true
--
2.44.0

29
SOURCES/ruby-3.4.0-ruby-net-http-test_https.rb-fix-test_session_reuse_but_expire.patch Normal file
View File

@ -0,0 +1,29 @@
From 960a0cdc544a226fed31c8988edb4fefe6990154 Mon Sep 17 00:00:00 2001
From: MSP-Greg <Greg.mpls@gmail.com>
Date: Thu, 20 Jun 2024 19:33:06 -0500
Subject: [PATCH] [ruby/net-http] test_https.rb - fix
test_session_reuse_but_expire
https://github.com/ruby/net-http/commit/5544243c41
---
test/net/http/test_https.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
index 7b97e39586..a2f17ce336 100644
--- a/test/net/http/test_https.rb
+++ b/test/net/http/test_https.rb
@@ -183,11 +183,11 @@ def test_session_reuse_but_expire
http.use_ssl = true
http.cert_store = TEST_STORE
- http.ssl_timeout = -1
+ http.ssl_timeout = 1
http.start
http.get("/")
http.finish
-
+ sleep 1.25
http.start
http.get("/")

68
SOURCES/rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch Normal file
View File

@ -0,0 +1,68 @@
From 9bdf63dd97e56edd9eba4e2a95623798ed472d86 Mon Sep 17 00:00:00 2001
From: Takashi Kokubun <takashikkbn@gmail.com>
Date: Tue, 21 Apr 2026 16:27:44 +0900
Subject: [PATCH] Prohibit def_method on marshal-loaded ERB instances
Extends the @_init guard to def_method so that an ERB object created
via Marshal.load (which bypasses initialize) raises ArgumentError
instead of evaluating arbitrary source. def_module and def_class both
delegate to def_method and are covered by the same check.
Co-authored-by: Tristan Madani <TristanInSec@gmail.com>
---
lib/erb.rb | 3 +++
test/erb/test_erb.rb | 27 +++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/lib/erb.rb b/lib/erb.rb
index d2ea64ab60..6c5efad513 100644
--- a/lib/erb.rb
+++ b/lib/erb.rb
@@ -939,6 +939,9 @@ def new_toplevel(vars = nil)
# erb.def_method(MyClass, 'render(arg1, arg2)', filename)
# print MyClass.new.render('foo', 123)
def def_method(mod, methodname, fname='(ERB)')
+ unless @_init.equal?(self.class.singleton_class)
+ raise ArgumentError, "not initialized"
+ end
src = self.src.sub(/^(?!#|$)/) {"def #{methodname}\n"} << "\nend\n"
mod.module_eval do
eval(src, binding, fname, -1)
diff --git a/test/erb/test_erb.rb b/test/erb/test_erb.rb
index d3e9b6c944..e5f2d97f1c 100644
--- a/test/erb/test_erb.rb
+++ b/test/erb/test_erb.rb
@@ -701,6 +701,33 @@ def test_prohibited_marshal_load
erb = Marshal.load(Marshal.dump(erb))
assert_raise(ArgumentError) {erb.result}
end
+
+ def test_prohibited_marshal_load_def_method
+ erb = ERB.allocate
+ erb.instance_variable_set(:@src, "")
+ erb.instance_variable_set(:@lineno, 1)
+ erb.instance_variable_set(:@_init, true)
+ erb = Marshal.load(Marshal.dump(erb))
+ assert_raise(ArgumentError) {erb.def_method(Class.new, 'render')}
+ end
+
+ def test_prohibited_marshal_load_def_module
+ erb = ERB.allocate
+ erb.instance_variable_set(:@src, "")
+ erb.instance_variable_set(:@lineno, 1)
+ erb.instance_variable_set(:@_init, true)
+ erb = Marshal.load(Marshal.dump(erb))
+ assert_raise(ArgumentError) {erb.def_module}
+ end
+
+ def test_prohibited_marshal_load_def_class
+ erb = ERB.allocate
+ erb.instance_variable_set(:@src, "")
+ erb.instance_variable_set(:@lineno, 1)
+ erb.instance_variable_set(:@_init, true)
+ erb = Marshal.load(Marshal.dump(erb))
+ assert_raise(ArgumentError) {erb.def_class}
+ end
end
class TestERBCoreWOStrScan < TestERBCore

61
SOURCES/rubygem-openssl-3.3.0-Only-CSR-version-1-encoded-as-0-is-allowed-by-PKIX.patch Normal file
View File

@ -0,0 +1,61 @@
From b7ce8df9f0d03a590adbddaaa5f5ce4442e696ec Mon Sep 17 00:00:00 2001
From: Job Snijders <job@sobornost.net>
Date: Mon, 25 Mar 2024 12:20:13 +0000
Subject: [PATCH] Only CSR version 1 (encoded as 0) is allowed by PKIX
standards
RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.
Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.
This commit fixes the following error.
```
2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
40: req = OpenSSL::X509::Request.new(req.to_der)
41: assert_equal(0, req.version)
42:
=> 43: req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
44: assert_equal(1, req.version)
45: req = OpenSSL::X509::Request.new(req.to_der)
46: assert_equal(1, req.version)
```
---
test/openssl/test_x509req.rb | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index ee9c678fbb..2a14afc9a1 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -39,11 +39,6 @@ def test_version
assert_equal(0, req.version)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(0, req.version)
-
- req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
- assert_equal(1, req.version)
- req = OpenSSL::X509::Request.new(req.to_der)
- assert_equal(1, req.version)
end
def test_subject
@@ -106,8 +101,8 @@ def test_sign_and_verify_rsa_sha1
assert_equal(false, req.verify(@rsa2048))
assert_equal(false, request_error_returns_false { req.verify(@dsa256) })
assert_equal(false, request_error_returns_false { req.verify(@dsa512) })
- req.version = 1
+ req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBarFooBar")
assert_equal(false, req.verify(@rsa1024))
end
def test_sign_and_verify_rsa_md5

62
SOURCES/rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch Normal file
View File

@ -0,0 +1,62 @@
From 561b56fcb552654e7c9449959f49fbc014798a58 Mon Sep 17 00:00:00 2001
From: Jun Aruga <jaruga@redhat.com>
Date: Tue, 12 Mar 2024 14:39:05 +0100
Subject: [PATCH] test_asn1.rb: Remove the assertions of the time string format
without second.
This commit fixes the following errors in the tests.
Because the OpenSSL project changed the code to make the time string format
without second invalid. So, we drop the assertions.
```
1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime'
430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
431: # LibreSSL 3.6.0 requires the seconds element
432: return if libressl?
=> 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b,
434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
435: # not implemented
436: # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b,
2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test'
/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime'
408: end
409: # Seconds is omitted. LibreSSL 3.6.0 requires it
410: return if libressl?
=> 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b,
412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
413: # not implemented
414: # decode_test B(%w{ 17 11 }) + "500908234339+0930".b,
```
---
test/openssl/test_asn1.rb | 5 -----
1 file changed, 5 deletions(-)
diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb
index af069cad6e..b5cf1adfd8 100644
--- a/test/openssl/test_asn1.rb
+++ b/test/openssl/test_asn1.rb
@@ -405,9 +405,6 @@ def test_set
def test_utctime
encode_decode_test B(%w{ 17 0D }) + "160908234339Z".b,
OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 39))
- # Seconds is omitted
- decode_test B(%w{ 17 0B }) + "1609082343Z".b,
- OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0))
begin
# possible range of UTCTime is 1969-2068 currently
encode_decode_test B(%w{ 17 0D }) + "690908234339Z".b,
@@ -433,8 +430,6 @@ def test_generalizedtime
OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 29))
encode_decode_test B(%w{ 18 0F }) + "99990908234339Z".b,
OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39))
- decode_test B(%w{ 18 0D }) + "201612081934Z".b,
- OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0))
# not implemented
# decode_test B(%w{ 18 13 }) + "20161208193439+0930".b,
# OpenSSL::ASN1::GeneralizedTime.new(Time.new(2016, 12, 8, 19, 34, 39, "+09:30"))

38
SPECS/ruby.spec
View File

@ -22,7 +22,7 @@
%endif
%global release 165
%global release 166
%{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
# The RubyGems library has to stay out of Ruby directory tree, since the
@ -293,10 +293,6 @@ Patch68: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch
# https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416
# https://bugs.ruby-lang.org/issues/20106
Patch69: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
# Fix `TestNetHTTPS#test_session_reuse_but_expire` test failure cause by
# to OpenSSL 3.2
# https://github.com/ruby/ruby/commit/64b6a018a38f200c957fdbbe7d0cbe0e64781c9f
Patch70: ruby-3.3.1-Fix-test-session-reuse-but-expire.patch
# Tests not included, this Ruby release does not include REXML tests.
# https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
Patch71: rubygem-rexml-3.3.9-Fix-ReDoS-CVE-2024-49761.patch
@ -339,6 +335,18 @@ Patch76: rubygem-cgi-0.3.5.1-Fix-DoS-in-CGI-Cookie-parse-CVE-2025-27219.patch
# Fix ReDoS in CGI::Util#escapeElement. (CVE-2025-27220)
# https://github.com/ruby/cgi/commit/bfa69e120df4e0131bb05df6c5e05c1dc982cd37
Patch77: rubygem-cgi-0.3.5.1-Fix-ReDoS-in-CGI-CVE-2025-27220.patch
# Only CSR version 1 (encoded as 0) is allowed by PKIX standards
# https://github.com/ruby/openssl/pull/747
Patch78: rubygem-openssl-3.3.0-Only-CSR-version-1-encoded-as-0-is-allowed-by-PKIX.patch
# Remove the assertions of the time string format without second.
# https://github.com/ruby/openssl/pull/728
Patch79: rubygem-openssl-3.3.0-test_asn1.rb-Remove-the-assertions-of-the-time.patch
# Fix test_session_reuse_but_expire test failure for Net::HTTPS.
# https://github.com/ruby/ruby/commit/9f4b45fbf7981a57fd82436ebec8a50ec3d3fdc9
Patch80: ruby-3.4.0-ruby-net-http-test_https.rb-fix-test_session_reuse_but_expire.patch
# Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316)
# https://github.com/ruby/erb/commit/ef61b591b270f8ba58d47f12472a1c53a77b4d61
Patch81: rubygem-erb-4.0.3.1-Fix-arbitrary-code-execution-via-deserialization-bypass-CVE-2026-41316.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Suggests: rubypick
@ -355,6 +363,7 @@ BuildRequires: readline-devel
# Needed to pass test_set_program_name(TestRubyOptions)
BuildRequires: procps
%{?with_systemtap:BuildRequires: %{_bindir}/dtrace}
%{?with_systemtap:BuildRequires: systemtap-sdt-devel}
# RubyGems test suite optional dependencies.
%{?with_git:BuildRequires: git}
%{?with_cmake:BuildRequires: %{_bindir}/cmake}
@ -811,13 +820,16 @@ rm -rf ext/fiddle/libffi*
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
%patch72 -p1
%patch73 -p1
%patch74 -p1
%patch75 -p1
%patch76 -p1
%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
%patch81 -p1
# Instead of adjusting patch's directory, use the following form where
# we first enter the correct directory, this allows more general application
@ -1600,21 +1612,25 @@ make runruby TESTRUN_SCRIPT=" \
%changelog
* Mon Apr 27 2026 Jarek Prokop <jprokop@redhat.com> - 3.0.7-166
- Fix arbitrary code execution via deserialization bypass in ERB. (CVE-2026-41316)
Resolves: RHEL-171254
* Fri Apr 11 2025 Jarek Prokop <jprokop@redhat.com> - 3.0.7-165
- Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)
Resolves: RHEL-87183
Resolves: RHEL-86104
- Fix ReDoS in CGI::Util#escapeElement. (CVE-2025-27220)
Resolves: RHEL-87184
Resolves: RHEL-86130
* Thu Mar 06 2025 Jarek Prokop <jprokop@redhat.com> - 3.0.7-164
- Undefine GC compaction methods on ppc64le.
Resolves: RHEL-83135
Resolves: RHEL-83136
- Fix printing warnings when using IRB from a script.
Resolves: RHEL-83137
Resolves: RHEL-83044
* Tue Nov 26 2024 Jarek Prokop <jprokop@redhat.com> - 3.0.7-163
- Fix REXML ReDoS vulnerability. (CVE-2024-49761)
Resolves: RHEL-68521
Resolves: RHEL-68525
* Tue Apr 30 2024 Jun Aruga <jaruga@redhat.com> - 3.0.7-162
- Upgrade to Ruby 3.0.7.