diff --git a/.gitignore b/.gitignore
index bae1614..7cc7fff 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-ruby-3.3.7.tar.xz
+ruby-3.3.8.tar.xz
diff --git a/ruby-3.4.0-openssl-fix-test-provider-in-fips.patch b/ruby-3.4.0-openssl-fix-test-provider-in-fips.patch
new file mode 100644
index 0000000..21abef1
--- /dev/null
+++ b/ruby-3.4.0-openssl-fix-test-provider-in-fips.patch
@@ -0,0 +1,61 @@
+From 570582fb78bc4adaafba44f47465507f649fa9dc Mon Sep 17 00:00:00 2001
+From: Jun Aruga <jaruga@redhat.com>
+Date: Thu, 5 Sep 2024 20:06:37 +0200
+Subject: [PATCH] [ruby/openssl] Fix test_provider.rb in FIPS.
+
+https://github.com/ruby/openssl/commit/7bdbc52100
+---
+ test/openssl/test_provider.rb | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/test/openssl/test_provider.rb b/test/openssl/test_provider.rb
+index 4e050b4bc2..e27968602a 100644
+--- a/test/openssl/test_provider.rb
++++ b/test/openssl/test_provider.rb
+@@ -1,6 +1,6 @@
+ # frozen_string_literal: true
+ require_relative 'utils'
+-if defined?(OpenSSL) && defined?(OpenSSL::Provider) && !OpenSSL.fips_mode
++if defined?(OpenSSL) && defined?(OpenSSL::Provider)
+ 
+ class OpenSSL::TestProvider < OpenSSL::TestCase
+   def test_openssl_provider_name_inspect
+@@ -13,14 +13,22 @@ def test_openssl_provider_name_inspect
+ 
+   def test_openssl_provider_names
+     omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
++    # We expect the following providers are loaded in the cases:
++    # * Non-FIPS: default
++    # * FIPS: fips, base
++    # Use the null provider to test the added provider.
++    # See provider(7) - OPENSSL PROVIDERS to see the list of providers, and
++    # OSSL_PROVIDER-null(7) to check the details of the null provider.
+     with_openssl <<-'end;'
+-      base_provider = OpenSSL::Provider.load("base")
+-      assert_equal(2, OpenSSL::Provider.provider_names.size)
+-      assert_includes(OpenSSL::Provider.provider_names, "base")
++      num = OpenSSL::Provider.provider_names.size
+ 
+-      assert_equal(true, base_provider.unload)
+-      assert_equal(1, OpenSSL::Provider.provider_names.size)
+-      assert_not_includes(OpenSSL::Provider.provider_names, "base")
++      added_provider = OpenSSL::Provider.load("null")
++      assert_equal(num + 1, OpenSSL::Provider.provider_names.size)
++      assert_includes(OpenSSL::Provider.provider_names, "null")
++
++      assert_equal(true, added_provider.unload)
++      assert_equal(num, OpenSSL::Provider.provider_names.size)
++      assert_not_includes(OpenSSL::Provider.provider_names, "null")
+     end;
+   end
+ 
+@@ -35,6 +43,9 @@ def test_unloaded_openssl_provider
+ 
+   def test_openssl_legacy_provider
+     omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
++    # The legacy provider is not supported on FIPS.
++    omit_on_fips
++
+     with_openssl(<<-'end;')
+       begin
+         OpenSSL::Provider.load("legacy")
diff --git a/ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch b/ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch
new file mode 100644
index 0000000..0dc2c7d
--- /dev/null
+++ b/ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch
@@ -0,0 +1,58 @@
+From 02c40367d918d3bc42098e1fcfe0c822319f4d37 Mon Sep 17 00:00:00 2001
+From: Jun Aruga <jaruga@redhat.com>
+Date: Thu, 8 Feb 2024 18:53:32 +0100
+Subject: [PATCH] [ruby/openssl] test_provider.rb: Make a legacy provider test
+ optional.
+
+In some cases such as OpenSSL package in FreeBSD[1], the legacy provider is not
+installed intentionally. So, we omit a test depending the legacy provider if the
+legacy provider is not loadable.
+
+For the test_openssl_provider_names test, we use base provider[2] instead of
+legacy provider, because we would expect the base provider is always loadable
+in OpenSSL 3 for now.
+
+* [1] https://www.freshports.org/security/openssl/
+* [2] https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
+
+https://github.com/ruby/openssl/commit/7223da7730
+---
+ test/openssl/test_provider.rb | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/test/openssl/test_provider.rb b/test/openssl/test_provider.rb
+index 7361a0e250..4e050b4bc2 100644
+--- a/test/openssl/test_provider.rb
++++ b/test/openssl/test_provider.rb
+@@ -14,13 +14,13 @@ def test_openssl_provider_name_inspect
+   def test_openssl_provider_names
+     omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
+     with_openssl <<-'end;'
+-      legacy_provider = OpenSSL::Provider.load("legacy")
++      base_provider = OpenSSL::Provider.load("base")
+       assert_equal(2, OpenSSL::Provider.provider_names.size)
+-      assert_includes(OpenSSL::Provider.provider_names, "legacy")
++      assert_includes(OpenSSL::Provider.provider_names, "base")
+ 
+-      assert_equal(true, legacy_provider.unload)
++      assert_equal(true, base_provider.unload)
+       assert_equal(1, OpenSSL::Provider.provider_names.size)
+-      assert_not_includes(OpenSSL::Provider.provider_names, "legacy")
++      assert_not_includes(OpenSSL::Provider.provider_names, "base")
+     end;
+   end
+ 
+@@ -36,7 +36,12 @@ def test_unloaded_openssl_provider
+   def test_openssl_legacy_provider
+     omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
+     with_openssl(<<-'end;')
+-      OpenSSL::Provider.load("legacy")
++      begin
++        OpenSSL::Provider.load("legacy")
++      rescue OpenSSL::Provider::ProviderError
++        omit "Only for OpenSSL with legacy provider"
++      end
++
+       algo = "RC4"
+       data = "a" * 1000
+       key = OpenSSL::Random.random_bytes(16)
diff --git a/ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch b/ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch
new file mode 100644
index 0000000..19fff7d
--- /dev/null
+++ b/ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch
@@ -0,0 +1,126 @@
+From 113727fa85749a9625838e378dcd4a749d40b0c5 Mon Sep 17 00:00:00 2001
+From: Jun Aruga <jaruga@redhat.com>
+Date: Tue, 8 Apr 2025 15:03:06 +0200
+Subject: [PATCH] Fix the tests using SHA-1 Probabilistic Signature Scheme
+ (PSS) parameters.
+
+Fedora OpenSSL 3.5 on rawhide stopped accepting SHA-1 PSS[1] parameters.
+This is different from the SHA-1 signatures which Fedora OpenSSL stopped
+accepting since Fedora 41.[2]
+
+This commit fixes the following test failures related to the SHA-1 PSS
+parameters with Fedora OpenSSL 3.5.
+Note these failures are the downstream Fedora OpenSSL RPM specific. The tests
+pass without this commit with the upstream OpenSSL 3.5.
+
+```
+$ rpm -q openssl-libs openssl-devel
+openssl-libs-3.5.0-2.fc43.x86_64
+openssl-devel-3.5.0-2.fc43.x86_64
+
+$ bundle exec rake test
+...
+E
+===============================================================================================
+Error: test_sign_verify_options(OpenSSL::TestPKeyRSA): OpenSSL::PKey::PKeyError: EVP_PKEY_CTX_ctrl_str(ctx, "rsa_mgf1_md", "SHA1"): digest not allowed (digest=SHA1)
+/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'Hash#each'
+/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::PKey::PKey#sign'
+/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::TestPKeyRSA#test_sign_verify_options'
+     110:       "rsa_pss_saltlen" => 20,
+     111:       "rsa_mgf1_md" => "SHA1"
+     112:     }
+  => 113:     sig_pss = key.sign("SHA256", data, pssopts)
+     114:     assert_equal 256, sig_pss.bytesize
+     115:     assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
+     116:     assert_equal true, key.verify_pss("SHA256", sig_pss, data,
+===============================================================================================
+E
+===============================================================================================
+Error: test_sign_verify_pss(OpenSSL::TestPKeyRSA): OpenSSL::PKey::RSAError: digest not allowed (digest=SHA1)
+/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::PKey::RSA#sign_pss'
+/mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::TestPKeyRSA#test_sign_verify_pss'
+     188:     data = "Sign me!"
+     189:     invalid_data = "Sign me?"
+     190:
+  => 191:     signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA1")
+     192:     assert_equal 256, signature.bytesize
+     193:     assert_equal true,
+     194:       key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1")
+===============================================================================================
+...
+577 tests, 4186 assertions, 0 failures, 2 errors, 0 pendings, 3 omissions, 0 notifications
+```
+
+[1] https://en.wikipedia.org/wiki/Probabilistic_signature_scheme
+[2] https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
+---
+ test/openssl/test_pkey_rsa.rb | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
+index 61c55c60b2..9661cef419 100644
+--- a/test/openssl/test_pkey_rsa.rb
++++ b/test/openssl/test_pkey_rsa.rb
+@@ -99,13 +99,13 @@ def test_sign_verify_options
+     pssopts = {
+       "rsa_padding_mode" => "pss",
+       "rsa_pss_saltlen" => 20,
+-      "rsa_mgf1_md" => "SHA1"
++      "rsa_mgf1_md" => "SHA256"
+     }
+     sig_pss = key.sign("SHA256", data, pssopts)
+     assert_equal 128, sig_pss.bytesize
+     assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
+     assert_equal true, key.verify_pss("SHA256", sig_pss, data,
+-                                      salt_length: 20, mgf1_hash: "SHA1")
++                                      salt_length: 20, mgf1_hash: "SHA256")
+     # Defaults to PKCS #1 v1.5 padding => verification failure
+     assert_equal false, key.verify("SHA256", sig_pss, data)
+ 
+@@ -179,31 +179,31 @@ def test_sign_verify_pss
+     data = "Sign me!"
+     invalid_data = "Sign me?"
+ 
+-    signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA1")
++    signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA256")
+     assert_equal 128, signature.bytesize
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA256")
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
+     assert_equal false,
+-      key.verify_pss("SHA256", signature, invalid_data, salt_length: 20, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, invalid_data, salt_length: 20, mgf1_hash: "SHA256")
+ 
+-    signature = key.sign_pss("SHA256", data, salt_length: :digest, mgf1_hash: "SHA1")
++    signature = key.sign_pss("SHA256", data, salt_length: :digest, mgf1_hash: "SHA256")
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: 32, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: 32, mgf1_hash: "SHA256")
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
+     assert_equal false,
+-      key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA256")
+ 
+-    signature = key.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA1")
++    signature = key.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA256")
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: 94, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: 94, mgf1_hash: "SHA256")
+     assert_equal true,
+-      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA1")
++      key.verify_pss("SHA256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
+ 
+     assert_raise(OpenSSL::PKey::RSAError) {
+-      key.sign_pss("SHA256", data, salt_length: 95, mgf1_hash: "SHA1")
++      key.sign_pss("SHA256", data, salt_length: 95, mgf1_hash: "SHA256")
+     }
+   end
+ 
+-- 
+2.48.1
+
diff --git a/ruby.spec b/ruby.spec
index e2256f0..3905a8d 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -1,6 +1,6 @@
 %global major_version 3
 %global minor_version 3
-%global teeny_version 7
+%global teeny_version 8
 %global major_minor_version %{major_version}.%{minor_version}
 
 %global ruby_version %{major_minor_version}.%{teeny_version}
@@ -52,7 +52,7 @@
 %global abbrev_version 0.1.2
 %global base64_version 0.2.0
 %global benchmark_version 0.3.0
-%global cgi_version 0.4.1
+%global cgi_version 0.4.2
 %global csv_version 3.2.8
 %global date_version 3.3.4
 %global delegate_version 0.3.1
@@ -107,7 +107,7 @@
 %global tmpdir_version 0.2.0
 %global tsort_version 0.2.0
 %global un_version 0.3.0
-%global uri_version 0.13.1
+%global uri_version 0.13.2
 %global weakref_version 0.1.3
 %global win32ole_version 1.8.10
 %global yaml_version 0.3.0
@@ -125,9 +125,9 @@
 # Bundled gems.
 %global debug_version 1.9.2
 %global net_ftp_version 0.3.4
-%global net_imap_version 0.4.9.1
+%global net_imap_version 0.4.19
 %global net_pop_version 0.1.2
-%global net_smtp_version 0.4.0.1
+%global net_smtp_version 0.5.1
 %global matrix_version 0.4.2
 %global minitest_version 5.20.0
 %global power_assert_version 2.0.3
@@ -173,7 +173,7 @@
 Summary: An interpreter of object-oriented scripting language
 Name: ruby
 Version: %{ruby_version}%{?development_release}
-Release: 9%{?dist}
+Release: 10%{?dist}
 # Licenses, which are likely not included in binary RPMs:
 # Apache-2.0:
 #   benchmark/gc/redblack.rb
@@ -190,7 +190,7 @@ Release: 9%{?dist}
 #   https://github.com/flori/json/pull/567
 #
 # Licenses under review:
-#   .bundle/gems/net-imap-0.4.9/LICENSE.txt
+#   .bundle/gems/net-imap-0.4.19/LICENSE.txt
 #   https://gitlab.com/fedora/legal/fedora-license-data/-/issues/506
 #
 # BSD-3-Clause: missing/{crypt,mt19937,setproctitle}.c, addr2line.c:2652
@@ -285,6 +285,17 @@ Patch12: ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.p
 # https://github.com/ruby/openssl/pull/710
 # https://github.com/ruby/ruby/commit/6213ab1a51387fd9cdcb5e87908722f3bbdf78cb
 Patch13: ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch
+# test_provider.rb: Make a legacy provider test optional.
+# https://github.com/ruby/openssl/pull/721
+# https://github.com/ruby/ruby/commit/eb4082284aace391a16a389a70eeaf1e7db5c542
+Patch14: ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch
+# Fix test_provider.rb in FIPS.
+# https://github.com/ruby/openssl/pull/794
+# https://github.com/ruby/ruby/commit/ad742de79bcce53290005429868f63c51cbeb0f2
+Patch15: ruby-3.4.0-openssl-fix-test-provider-in-fips.patch
+# Fix the tests using SHA-1 Probabilistic Signature Scheme (PSS) parameters.
+# https://github.com/ruby/openssl/pull/879
+Patch16: ruby-3.4.2-openssl-Fix-SHA-1-PSS-tests.patch
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %{?with_rubypick:Suggests: rubypick}
@@ -303,6 +314,11 @@ BuildRequires: zlib-devel
 %{?with_gmp:BuildRequires: gmp-devel}
 %{?with_systemtap:BuildRequires: %{_bindir}/dtrace}
 %{?with_systemtap:BuildRequires: systemtap-sdt-devel}
+# Despite pulling what we'd expect to need, there is a missing dependency
+# in systemtap, where pulling in %%{_bindir}/dtrace does not pull in also
+# the python3-pyparsing package that is required for full functionality.
+# Workaround: RHEL-86248
+%{?with_systemtap:BuildRequires: python3-pyparsing}
 %{?with_yjit:BuildRequires: %{_bindir}/rustc}
 
 # Install section
@@ -766,6 +782,9 @@ analysis result in RBS format, a standard type description format for Ruby
 %patch 9 -p1
 %patch 12 -p1
 %patch 13 -p1
+%patch 14 -p1
+%patch 15 -p1
+%patch 16 -p1
 
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@@ -1613,12 +1632,15 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 # net-imap
 %dir %{gem_instdir net-imap}
 %{gem_instdir net-imap}/Gemfile
+%license %{gem_instdir net-imap}/BSDL
+%license %{gem_instdir net-imap}/COPYING
 %license %{gem_instdir net-imap}/LICENSE.txt
 %doc %{gem_instdir net-imap}/README.md
 %{gem_instdir net-imap}/Rakefile
 %{gem_instdir net-imap}/docs
 %{gem_libdir net-imap}
 %{gem_instdir net-imap}/rakelib
+%{gem_instdir net-imap}/sample
 %{gem_spec net-imap}
 
 # net-pop
@@ -1768,6 +1790,14 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 
 
 %changelog
+* Mon Apr 14 2025 Jarek Prokop <jprokop@redhat.com> - 3.3.8-10
+- Upgrade to Ruby 3.3.8.
+  Resolves: RHEL-87342
+- Fix Net::IMAP vulnerable to possible DoS by memory exhaustion. (CVE-2025-25186)
+- Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)
+  Resolves: RHEL-86116
+- Fix userinfo leakage in URI#join, URI#merge and URI#+. (CVE-2025-27221)
+
 * Thu Jan 30 2025 Jun Aruga <jaruga@redhat.com> - 3.3.7-9
 - Upgrade to Ruby 3.3.7
   Resolves: RHEL-77994
diff --git a/sources b/sources
index 0b5c71a..a0dfe11 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (ruby-3.3.7.tar.xz) = 4082a7684c1b0d53a0ce493f79568e851d37a864f59c58b2e0c273b2659e0ca75318ddff939fdf5e9d0a3eeba1b6d8f03bf88afb49a5ffd77714f1c8a7dfdd55
+SHA512 (ruby-3.3.8.tar.xz) = 71c2f3ac9955e088fa885fd2ff695e67362a770a5d33e5160081eda3dd298ca2c692e299b03d757caecfbc94043fedc4ad093de84c505585d480cb36bbf978b9