Upgrade to Ruby 3.3.10.

- Fix possible denial of service in resolv gem (CVE-2025-24294)
- Fix URI Credential Leakage Bypass previous fixes. (CVE-2025-61594)
- Fix REXML denial of service. (CVE-2025-58767)

Resolves: RHEL-130160
Resolves: RHEL-122028

ruby-2.1.0-Enable-configuration-of-archlibdir.patch

@@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
 index d261ea57b5..3c13076b82 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3482,6 +3482,11 @@ AS_IF([test ${multiarch+set}], [
+@@ -3480,6 +3480,11 @@ AS_IF([test ${multiarch+set}], [
  ])
  
  archlibdir='${libdir}/${arch}'

ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch

@@ -14,7 +14,7 @@ diff --git a/configure.ac b/configure.ac
 index c42436c23d..d261ea57b5 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4321,7 +4321,8 @@ AS_CASE(["$ruby_version_dir_name"],
+@@ -4319,7 +4319,8 @@ AS_CASE(["$ruby_version_dir_name"],
  ruby_version_dir=/'${ruby_version_dir_name}'
  
  if test -z "${ruby_version_dir_name}"; then

ruby-2.1.0-always-use-i386.patch

@@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
 index 3c13076b82..93af30321d 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4385,6 +4385,8 @@ AC_SUBST(vendorarchdir)dnl
+@@ -4383,6 +4383,8 @@ AC_SUBST(vendorarchdir)dnl
  AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
  AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl
  

ruby-2.1.0-custom-rubygems-location.patch

@@ -15,7 +15,7 @@ diff --git a/configure.ac b/configure.ac
 index 93af30321d..bc13397e0e 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4357,6 +4357,10 @@ AC_ARG_WITH(vendorarchdir,
+@@ -4355,6 +4355,10 @@ AC_ARG_WITH(vendorarchdir,
              [vendorarchdir=$withval],
              [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}])
  
@@ -26,7 +26,7 @@ index 93af30321d..bc13397e0e 100644
  AS_IF([test "${LOAD_RELATIVE+set}"], [
      AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
      RUBY_EXEC_PREFIX=''
-@@ -4381,6 +4385,7 @@ AC_SUBST(sitearchdir)dnl
+@@ -4379,6 +4383,7 @@ AC_SUBST(sitearchdir)dnl
  AC_SUBST(vendordir)dnl
  AC_SUBST(vendorlibdir)dnl
  AC_SUBST(vendorarchdir)dnl

ruby-2.3.0-ruby_version.patch

@@ -20,7 +20,7 @@ diff --git a/configure.ac b/configure.ac
 index 80b137e380..63cd3b4f8b 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4271,9 +4271,6 @@ AS_CASE(["$target_os"],
+@@ -4269,9 +4269,6 @@ AS_CASE(["$target_os"],
      rubyw_install_name='$(RUBYW_INSTALL_NAME)'
      ])
  
@@ -30,7 +30,7 @@ index 80b137e380..63cd3b4f8b 100644
  rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'}
  AC_ARG_WITH(rubyarchprefix,
  	    AS_HELP_STRING([--with-rubyarchprefix=DIR],
-@@ -4296,57 +4293,63 @@ AC_ARG_WITH(ridir,
+@@ -4294,57 +4291,63 @@ AC_ARG_WITH(ridir,
  AC_SUBST(ridir)
  AC_SUBST(RI_BASE_NAME)
  
@@ -122,7 +122,7 @@ index 80b137e380..63cd3b4f8b 100644
  
  AS_IF([test "${LOAD_RELATIVE+set}"], [
      AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
-@@ -4363,6 +4366,7 @@ AC_SUBST(sitearchincludedir)dnl
+@@ -4361,6 +4364,7 @@ AC_SUBST(sitearchincludedir)dnl
  AC_SUBST(arch)dnl
  AC_SUBST(sitearch)dnl
  AC_SUBST(ruby_version)dnl

ruby-3.3.0-Disable-syntax-suggest-test-case.patch

@@ -12,7 +12,7 @@ diff --git a/common.mk b/common.mk
 index d55d1788aa..73755f6ccd 100644
 --- a/common.mk
 +++ b/common.mk
-@@ -1601,8 +1601,6 @@ yes-test-syntax-suggest: $(PREPARE_SYNTAX_SUGGEST)
+@@ -1607,8 +1607,6 @@ yes-test-syntax-suggest: $(PREPARE_SYNTAX_SUGGEST)
  	$(ACTIONS_ENDGROUP)
  no-test-syntax-suggest:
  

ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.patch

@@ -171,7 +171,7 @@ index f35fad6a362611..0da15772d36671 100644
  AC_CACHE_CHECK([whether compiler has statement and declarations in expressions],
    rb_cv_have_stmt_and_decl_in_expr,
    [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[ __extension__ ({ int a = 0; a; }); ]])],
-@@ -4215,12 +4272,13 @@ AS_IF([test "${ARCH_FLAG}"], [
+@@ -4213,12 +4270,13 @@ AS_IF([test "${ARCH_FLAG}"], [
  rb_cv_warnflags=`echo "$rb_cv_warnflags" | sed 's/^ *//;s/ *$//'`
  warnflags="$rb_cv_warnflags"
  AC_SUBST(cppflags)dnl
@@ -186,7 +186,7 @@ index f35fad6a362611..0da15772d36671 100644
  AC_SUBST(XCFLAGS)dnl
  AC_SUBST(XLDFLAGS)dnl
  AC_SUBST(EXTLDFLAGS)dnl
-@@ -4688,6 +4746,7 @@ config_summary "DLDFLAGS"            "$DLDFLAGS"
+@@ -4686,6 +4744,7 @@ config_summary "DLDFLAGS"            "$DLDFLAGS"
  config_summary "optflags"            "$optflags"
  config_summary "debugflags"          "$debugflags"
  config_summary "warnflags"           "$warnflags"
@@ -255,7 +255,7 @@ diff --git a/template/Makefile.in b/template/Makefile.in
 index 033ac56cb38886..abb4469777ce8a 100644
 --- a/template/Makefile.in
 +++ b/template/Makefile.in
-@@ -89,6 +89,7 @@ cflags = @cflags@
+@@ -90,6 +90,7 @@ cflags = @cflags@
  optflags = @optflags@
  debugflags = @debugflags@
  warnflags = @warnflags@ @strict_warnflags@

ruby-3.4.0-openssl-fix-test-provider-in-fips.patch

@@ -20,10 +20,10 @@ index 4e050b4bc2..e27968602a 100644
  
  class OpenSSL::TestProvider < OpenSSL::TestCase
    def test_openssl_provider_name_inspect
-@@ -13,14 +13,22 @@ def test_openssl_provider_name_inspect
+@@ -12,14 +12,22 @@ def test_openssl_provider_name_inspect
+   end
  
    def test_openssl_provider_names
-     omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
 +    # We expect the following providers are loaded in the cases:
 +    # * Non-FIPS: default
 +    # * FIPS: fips, base
@@ -49,10 +49,10 @@ index 4e050b4bc2..e27968602a 100644
      end;
    end
  
-@@ -35,6 +43,9 @@ def test_unloaded_openssl_provider
+@@ -33,6 +41,9 @@ def test_unloaded_openssl_provider
+   end
  
    def test_openssl_legacy_provider
-     omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
 +    # The legacy provider is not supported on FIPS.
 +    omit_on_fips
 +

ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch

@@ -1,58 +0,0 @@
-From 02c40367d918d3bc42098e1fcfe0c822319f4d37 Mon Sep 17 00:00:00 2001
-From: Jun Aruga <jaruga@redhat.com>
-Date: Thu, 8 Feb 2024 18:53:32 +0100
-Subject: [PATCH] [ruby/openssl] test_provider.rb: Make a legacy provider test
- optional.
-
-In some cases such as OpenSSL package in FreeBSD[1], the legacy provider is not
-installed intentionally. So, we omit a test depending the legacy provider if the
-legacy provider is not loadable.
-
-For the test_openssl_provider_names test, we use base provider[2] instead of
-legacy provider, because we would expect the base provider is always loadable
-in OpenSSL 3 for now.
-
-* [1] https://www.freshports.org/security/openssl/
-* [2] https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
-
-https://github.com/ruby/openssl/commit/7223da7730
----
- test/openssl/test_provider.rb | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/test/openssl/test_provider.rb b/test/openssl/test_provider.rb
-index 7361a0e250..4e050b4bc2 100644
---- a/test/openssl/test_provider.rb
-+++ b/test/openssl/test_provider.rb
-@@ -14,13 +14,13 @@ def test_openssl_provider_name_inspect
-   def test_openssl_provider_names
-     omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
-     with_openssl <<-'end;'
--      legacy_provider = OpenSSL::Provider.load("legacy")
-+      base_provider = OpenSSL::Provider.load("base")
-       assert_equal(2, OpenSSL::Provider.provider_names.size)
--      assert_includes(OpenSSL::Provider.provider_names, "legacy")
-+      assert_includes(OpenSSL::Provider.provider_names, "base")
- 
--      assert_equal(true, legacy_provider.unload)
-+      assert_equal(true, base_provider.unload)
-       assert_equal(1, OpenSSL::Provider.provider_names.size)
--      assert_not_includes(OpenSSL::Provider.provider_names, "legacy")
-+      assert_not_includes(OpenSSL::Provider.provider_names, "base")
-     end;
-   end
- 
-@@ -36,7 +36,12 @@ def test_unloaded_openssl_provider
-   def test_openssl_legacy_provider
-     omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/
-     with_openssl(<<-'end;')
--      OpenSSL::Provider.load("legacy")
-+      begin
-+        OpenSSL::Provider.load("legacy")
-+      rescue OpenSSL::Provider::ProviderError
-+        omit "Only for OpenSSL with legacy provider"
-+      end
-+
-       algo = "RC4"
-       data = "a" * 1000
-       key = OpenSSL::Random.random_bytes(16)

ruby.spec

@@ -1,6 +1,6 @@
 %global major_version 3
 %global minor_version 3
-%global teeny_version 8
+%global teeny_version 10
 %global major_minor_version %{major_version}.%{minor_version}
 
 %global ruby_version %{major_minor_version}.%{teeny_version}
@@ -79,7 +79,7 @@
 %global nkf_version 0.1.3
 %global observer_version 0.1.2
 %global open3_version 0.2.1
-%global openssl_version 3.2.0
+%global openssl_version 3.2.2
 %global open_uri_version 0.4.1
 %global optparse_version 0.4.0
 %global ostruct_version 0.6.0
@@ -89,7 +89,7 @@
 %global pstore_version 0.1.3
 %global readline_version 0.0.4
 %global reline_version 0.5.10
-%global resolv_version 0.3.0
+%global resolv_version 0.3.1
 %global resolv_replace_version 0.1.1
 %global rinda_version 0.2.0
 %global ruby2_keywords_version 0.0.5
@@ -107,7 +107,7 @@
 %global tmpdir_version 0.2.0
 %global tsort_version 0.2.0
 %global un_version 0.3.0
-%global uri_version 0.13.2
+%global uri_version 0.13.3
 %global weakref_version 0.1.3
 %global win32ole_version 1.8.10
 %global yaml_version 0.3.0
@@ -125,7 +125,7 @@
 # Bundled gems.
 %global debug_version 1.9.2
 %global net_ftp_version 0.3.4
-%global net_imap_version 0.4.19
+%global net_imap_version 0.4.21
 %global net_pop_version 0.1.2
 %global net_smtp_version 0.5.1
 %global matrix_version 0.4.2
@@ -135,7 +135,7 @@
 %global racc_version 1.7.3
 %global rake_version 13.1.0
 %global rbs_version 3.4.0
-%global rexml_version 3.3.9
+%global rexml_version 3.4.4
 %global rss_version 0.3.1
 %global test_unit_version 3.6.1
 %global typeprof_version 0.21.9
@@ -173,7 +173,7 @@
 Summary: An interpreter of object-oriented scripting language
 Name: ruby
 Version: %{ruby_version}%{?development_release}
-Release: 10%{?dist}
+Release: 11%{?dist}
 # Licenses, which are likely not included in binary RPMs:
 # Apache-2.0:
 #   benchmark/gc/redblack.rb
@@ -285,10 +285,6 @@ Patch12: ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.p
 # https://github.com/ruby/openssl/pull/710
 # https://github.com/ruby/ruby/commit/6213ab1a51387fd9cdcb5e87908722f3bbdf78cb
 Patch13: ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch
-# test_provider.rb: Make a legacy provider test optional.
-# https://github.com/ruby/openssl/pull/721
-# https://github.com/ruby/ruby/commit/eb4082284aace391a16a389a70eeaf1e7db5c542
-Patch14: ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch
 # Fix test_provider.rb in FIPS.
 # https://github.com/ruby/openssl/pull/794
 # https://github.com/ruby/ruby/commit/ad742de79bcce53290005429868f63c51cbeb0f2
@@ -782,7 +778,6 @@ analysis result in RBS format, a standard type description format for Ruby
 %patch 9 -p1
 %patch 12 -p1
 %patch 13 -p1
-%patch 14 -p1
 %patch 15 -p1
 %patch 16 -p1
 
@@ -1790,6 +1785,14 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 
 
 %changelog
+* Thu Nov 13 2025 Jun Aruga <jaruga@redhat.com> - 3.3.10-11
+- Upgrade to Ruby 3.3.10.
+  Resolves: RHEL-130160
+- Fix possible denial of service in resolv gem (CVE-2025-24294)
+- Fix URI Credential Leakage Bypass previous fixes. (CVE-2025-61594)
+- Fix REXML denial of service. (CVE-2025-58767)
+  Resolves: RHEL-122028
+
 * Mon Apr 14 2025 Jarek Prokop <jprokop@redhat.com> - 3.3.8-10
 - Upgrade to Ruby 3.3.8.
   Resolves: RHEL-87342

sources

@@ -1 +1 @@
-SHA512 (ruby-3.3.8.tar.xz) = 71c2f3ac9955e088fa885fd2ff695e67362a770a5d33e5160081eda3dd298ca2c692e299b03d757caecfbc94043fedc4ad093de84c505585d480cb36bbf978b9
+SHA512 (ruby-3.3.10.tar.xz) = 8b81cab7b98acb6ff7bdf864da5e97596ee1efa441e2a65991e12a7e3f3ad3d83b1b5c65ae108484252ec8f6d85db60eb381a174c759023beb202b5a0d20818a