Upgrade to Ruby 2.7.8.

- Fix HTTP response splitting in CGI.
  Resolves: CVE-2021-33621
- Fix ReDoS vulnerability in URI.
  Resolves: CVE-2023-28755
- Fix ReDoS vulnerability in Time.
  Resolves: CVE-2023-28756

Resolves: rhbz#2149262
This commit is contained in:
Jarek Prokop 2023-04-24 16:37:35 +02:00
parent 5657cec13b
commit e46f255532
10 changed files with 27 additions and 17 deletions

View File

@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
index d261ea57b5..3c13076b82 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3121,6 +3121,11 @@ AS_IF([test ${multiarch+set}], [
@@ -3140,6 +3140,11 @@ AS_IF([test ${multiarch+set}], [
])
archlibdir='${libdir}/${arch}'

View File

@ -14,7 +14,7 @@ diff --git a/configure.ac b/configure.ac
index c42436c23d..d261ea57b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3759,7 +3759,8 @@ AS_CASE(["$ruby_version_dir_name"],
@@ -3778,7 +3778,8 @@ AS_CASE(["$ruby_version_dir_name"],
ruby_version_dir=/'${ruby_version_dir_name}'
if test -z "${ruby_version_dir_name}"; then

View File

@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
index 3c13076b82..93af30321d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3823,6 +3823,8 @@ AC_SUBST(vendorarchdir)dnl
@@ -3842,6 +3842,8 @@ AC_SUBST(vendorarchdir)dnl
AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl

View File

@ -15,7 +15,7 @@ diff --git a/configure.ac b/configure.ac
index 93af30321d..bc13397e0e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3795,6 +3795,10 @@ AC_ARG_WITH(vendorarchdir,
@@ -3814,6 +3814,10 @@ AC_ARG_WITH(vendorarchdir,
[vendorarchdir=$withval],
[vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}])
@ -26,7 +26,7 @@ index 93af30321d..bc13397e0e 100644
AS_IF([test "${LOAD_RELATIVE+set}"], [
AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
RUBY_EXEC_PREFIX=''
@@ -3819,6 +3823,7 @@ AC_SUBST(sitearchdir)dnl
@@ -3838,6 +3842,7 @@ AC_SUBST(sitearchdir)dnl
AC_SUBST(vendordir)dnl
AC_SUBST(vendorlibdir)dnl
AC_SUBST(vendorarchdir)dnl

View File

@ -20,7 +20,7 @@ diff --git a/configure.ac b/configure.ac
index 80b137e380..63cd3b4f8b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3710,9 +3710,6 @@ AS_CASE(["$target_os"],
@@ -3729,9 +3729,6 @@ AS_CASE(["$target_os"],
rubyw_install_name='$(RUBYW_INSTALL_NAME)'
])
@ -30,7 +30,7 @@ index 80b137e380..63cd3b4f8b 100644
rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'}
AC_ARG_WITH(rubyarchprefix,
AS_HELP_STRING([--with-rubyarchprefix=DIR],
@@ -3735,56 +3732,62 @@ AC_ARG_WITH(ridir,
@@ -3754,56 +3751,62 @@ AC_ARG_WITH(ridir,
AC_SUBST(ridir)
AC_SUBST(RI_BASE_NAME)
@ -120,7 +120,7 @@ index 80b137e380..63cd3b4f8b 100644
AS_IF([test "${LOAD_RELATIVE+set}"], [
AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
@@ -3801,6 +3804,7 @@ AC_SUBST(sitearchincludedir)dnl
@@ -3820,6 +3823,7 @@ AC_SUBST(sitearchincludedir)dnl
AC_SUBST(arch)dnl
AC_SUBST(sitearch)dnl
AC_SUBST(ruby_version)dnl

View File

@ -57,7 +57,7 @@ diff --git a/ruby.c b/ruby.c
index 60c57d6259..1eec16f2c8 100644
--- a/ruby.c
+++ b/ruby.c
@@ -1451,10 +1451,14 @@ proc_options(long argc, char **argv, ruby_cmdline_options_t *opt, int envopt)
@@ -1463,10 +1463,14 @@ proc_options(long argc, char **argv, ruby_cmdline_options_t *opt, int envopt)
void Init_builtin_features(void);

View File

@ -17,6 +17,6 @@ index 7c17cd54..f721f247 100644
spec.required_ruby_version = ">= 2.3.0"
- spec.add_runtime_dependency "ipaddr"
spec.add_development_dependency "rake"
spec.add_development_dependency "rake", ">= 11.2.0"
spec.add_development_dependency "rake-compiler"
spec.add_development_dependency "test-unit", "~> 3.0"

View File

@ -12,7 +12,7 @@ diff --git a/test/fiddle/helper.rb b/test/fiddle/helper.rb
index f38f903..a6e2019 100644
--- a/test/fiddle/helper.rb
+++ b/test/fiddle/helper.rb
@@ -20,8 +20,8 @@
@@ -36,8 +36,8 @@
# 64-bit ruby
libdir = '/lib64' if File.directory? '/lib64'
end

View File

@ -1,6 +1,6 @@
%global major_version 2
%global minor_version 7
%global teeny_version 6
%global teeny_version 8
%global major_minor_version %{major_version}.%{minor_version}
%global ruby_version %{major_minor_version}.%{teeny_version}
@ -22,7 +22,7 @@
%endif
%global release 138
%global release 139
%{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
# The RubyGems library has to stay out of Ruby directory tree, since the
@ -49,7 +49,7 @@
%global irb_version 1.2.6
%global json_version 2.3.0
%global net_telnet_version 0.2.0
%global openssl_version 2.1.3
%global openssl_version 2.1.4
%global psych_version 3.1.0
%global racc_version 1.4.16
%global rdoc_version 6.2.1.1
@ -1146,7 +1146,7 @@ MSPECOPTS="$MSPECOPTS -P 'File.utime allows Time instances in the far future to
%files default-gems
%{gem_dir}/specifications/default/benchmark-0.1.0.gemspec
%{gem_dir}/specifications/default/cgi-0.1.0.1.gemspec
%{gem_dir}/specifications/default/cgi-0.1.0.2.gemspec
%{gem_dir}/specifications/default/csv-3.1.2.gemspec
%{gem_dir}/specifications/default/date-3.0.3.gemspec
%{gem_dir}/specifications/default/dbm-1.1.0.gemspec
@ -1182,7 +1182,7 @@ MSPECOPTS="$MSPECOPTS -P 'File.utime allows Time instances in the far future to
%{gem_dir}/specifications/default/strscan-1.0.3.gemspec
%{gem_dir}/specifications/default/timeout-0.1.0.gemspec
%{gem_dir}/specifications/default/tracer-0.1.0.gemspec
%{gem_dir}/specifications/default/uri-0.10.0.gemspec
%{gem_dir}/specifications/default/uri-0.10.0.2.gemspec
%{gem_dir}/specifications/default/webrick-1.6.1.gemspec
%{gem_dir}/specifications/default/yaml-0.1.0.gemspec
%{gem_dir}/specifications/default/zlib-1.1.0.gemspec
@ -1298,6 +1298,16 @@ MSPECOPTS="$MSPECOPTS -P 'File.utime allows Time instances in the far future to
%changelog
* Tue Apr 25 2023 Jarek Prokop <jprokop@redhat.com> - 2.7.8-139
- Upgrade to Ruby 2.7.8.
Resolves: rhbz#2149262
- Fix HTTP response splitting in CGI.
Resolves: CVE-2021-33621
- Fix ReDoS vulnerability in URI.
Resolves: CVE-2023-28755
- Fix ReDoS vulnerability in Time.
Resolves: CVE-2023-28756
* Tue Jul 19 2022 Jarek Prokop <jprokop@redhat.com> - 2.7.6-138
- Upgrade to Ruby 2.7.6.
Resolves: rhbz#2109424

View File

@ -1,2 +1,2 @@
SHA512 (ruby-2.7.6.tar.xz) = e86410b59d5917786fe43b00fd75dedd0e7f84611286b9274c542d2e562088fcee6bcc6c2596c30ccf793280d2bac6bfbb2619ef0513b3ca31f10f88684c7b1f
SHA512 (ruby-2.7.8.tar.xz) = 4b49dff3e1c2e79d914e10418e4c03026f5d4c137dc337f5c720fe26cb9fcdcf4afc6b7c967356cf5fbe04cc5ef431174c48a035becf3e2322c2c45d3c9b2f59
SHA512 (ruby-rubygems-bundler-v2.2.24.txz) = 5db5fd09ce62342677bcdff397b295e44a680006fca2149fa36e634d3073b6f1d36429ff016127075d272f967f4de355edfa37d4fbcdd4f4d55f485a13d177c9