Commit Graph

2 Commits

Author SHA1 Message Date
Jun Aruga
3cd2ea3699 Upgrade to Ruby 3.0.7.
* Upgrade to Ruby 3.0.7.
  Resolves: RHEL-35740

The released Ruby 3.0.5 includes the following fix.

* Fix HTTP response splitting in CGI.
  Resolves: RHEL-35741

The released Ruby 3.0.6 includes the following fixes.

* Fix ReDoS vulnerability in URI.
  Resolves: RHEL-35742
* Fix ReDoS vulnerability in Time.
  Resolves: RHEL-35743

The released Ruby 3.0.7 includes the following fixes.

* Fix buffer overread vulnerability in StringIO.
  Resolves: RHEL-35744
* Fix RCE vulnerability with .rdoc_options in RDoc.
  Resolves: RHEL-35746
* Fix arbitrary memory address read vulnerability with Regex search.
  Resolves: RHEL-35747

Replaced the patch ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch
with the tiny patch ruby-ext-openssl-extconf.rb-ignore-OpenSSL-version-check.patch
not using the reverse logic. Because it was hard to maintain the patch file,
when the included file was updated on the upstream.

Added the following patches.
* Fix net-http test errors due to expired certificate.
  The patch ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch was copied
  from the part on the Fedora rawhide
  <05a6c9c8f3>.
* Fix `TestNetHTTPS#test_session_reuse_but_expire` test failure cause.
  The patch ruby-3.3.1-Fix-test-session-reuse-but-expire.patch was copied from
  the part on Fedora rawhide
  <a34f33bc50>.
  As a reference, the part comes from Fedora ruby-3.3 branch
  <99d21ecc4c>.
2024-05-13 14:23:34 +02:00
Jarek Prokop
d83966b8b8 Upgrade to ruby 3.0.4.
Sync branch with Fedora upstream (commit: 9209761).

This rebase also fixes following CVEs:
Double free in Regexp compilation.
See <https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/>
for details.

Buffer overrun in String-to-Float conversion.
See <https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/>
for details.

Remove ruby-3.1.0-Fix-stack-buffer-overflow.patch.
The patch was backported and is now present in Ruby 3.0.4.

Resolves: rhbz#2096347
Resolves: CVE-2022-28738
Resolves: CVE-2022-28739
2022-08-02 11:42:55 +02:00