From cba38803ee92ee2badbe7a6adb32c10a856e9d7a Mon Sep 17 00:00:00 2001 From: Jarek Prokop Date: Fri, 11 Apr 2025 13:25:53 +0200 Subject: [PATCH] Upgrade to Ruby 3.3.8. Fix Net::IMAP vulnerable to possible DoS by memory exhaustion. (CVE-2025-25186) Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219) Fix userinfo leakage in URI#join, URI#merge and URI#+. (CVE-2025-27221) Resolves: RHEL-87342 Resolves: RHEL-86116 --- ruby.spec | 25 ++++++++++++++++++------- sources | 2 +- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/ruby.spec b/ruby.spec index e2256f0..19f30b2 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %global major_version 3 %global minor_version 3 -%global teeny_version 7 +%global teeny_version 8 %global major_minor_version %{major_version}.%{minor_version} %global ruby_version %{major_minor_version}.%{teeny_version} @@ -52,7 +52,7 @@ %global abbrev_version 0.1.2 %global base64_version 0.2.0 %global benchmark_version 0.3.0 -%global cgi_version 0.4.1 +%global cgi_version 0.4.2 %global csv_version 3.2.8 %global date_version 3.3.4 %global delegate_version 0.3.1 @@ -107,7 +107,7 @@ %global tmpdir_version 0.2.0 %global tsort_version 0.2.0 %global un_version 0.3.0 -%global uri_version 0.13.1 +%global uri_version 0.13.2 %global weakref_version 0.1.3 %global win32ole_version 1.8.10 %global yaml_version 0.3.0 @@ -125,9 +125,9 @@ # Bundled gems. %global debug_version 1.9.2 %global net_ftp_version 0.3.4 -%global net_imap_version 0.4.9.1 +%global net_imap_version 0.4.19 %global net_pop_version 0.1.2 -%global net_smtp_version 0.4.0.1 +%global net_smtp_version 0.5.1 %global matrix_version 0.4.2 %global minitest_version 5.20.0 %global power_assert_version 2.0.3 @@ -173,7 +173,7 @@ Summary: An interpreter of object-oriented scripting language Name: ruby Version: %{ruby_version}%{?development_release} -Release: 9%{?dist} +Release: 10%{?dist} # Licenses, which are likely not included in binary RPMs: # Apache-2.0: # benchmark/gc/redblack.rb @@ -190,7 +190,7 @@ Release: 9%{?dist} # https://github.com/flori/json/pull/567 # # Licenses under review: -# .bundle/gems/net-imap-0.4.9/LICENSE.txt +# .bundle/gems/net-imap-0.4.19/LICENSE.txt # https://gitlab.com/fedora/legal/fedora-license-data/-/issues/506 # # BSD-3-Clause: missing/{crypt,mt19937,setproctitle}.c, addr2line.c:2652 @@ -1613,12 +1613,15 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \ # net-imap %dir %{gem_instdir net-imap} %{gem_instdir net-imap}/Gemfile +%license %{gem_instdir net-imap}/BSDL +%license %{gem_instdir net-imap}/COPYING %license %{gem_instdir net-imap}/LICENSE.txt %doc %{gem_instdir net-imap}/README.md %{gem_instdir net-imap}/Rakefile %{gem_instdir net-imap}/docs %{gem_libdir net-imap} %{gem_instdir net-imap}/rakelib +%{gem_instdir net-imap}/sample %{gem_spec net-imap} # net-pop @@ -1768,6 +1771,14 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \ %changelog +* Mon Apr 14 2025 Jarek Prokop - 3.3.8-10 +- Upgrade to Ruby 3.3.8. + Resolves: RHEL-87342 +- Fix Net::IMAP vulnerable to possible DoS by memory exhaustion. (CVE-2025-25186) +- Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219) + Resolves: RHEL-86116 +- Fix userinfo leakage in URI#join, URI#merge and URI#+. (CVE-2025-27221) + * Thu Jan 30 2025 Jun Aruga - 3.3.7-9 - Upgrade to Ruby 3.3.7 Resolves: RHEL-77994 diff --git a/sources b/sources index 0b5c71a..a0dfe11 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (ruby-3.3.7.tar.xz) = 4082a7684c1b0d53a0ce493f79568e851d37a864f59c58b2e0c273b2659e0ca75318ddff939fdf5e9d0a3eeba1b6d8f03bf88afb49a5ffd77714f1c8a7dfdd55 +SHA512 (ruby-3.3.8.tar.xz) = 71c2f3ac9955e088fa885fd2ff695e67362a770a5d33e5160081eda3dd298ca2c692e299b03d757caecfbc94043fedc4ad093de84c505585d480cb36bbf978b9