* Upgrade to Ruby 3.0.7.
Resolves: RHEL-35740
The released Ruby 3.0.5 includes the following fix.
* Fix HTTP response splitting in CGI.
Resolves: RHEL-35741
The released Ruby 3.0.6 includes the following fixes.
* Fix ReDoS vulnerability in URI.
Resolves: RHEL-35742
* Fix ReDoS vulnerability in Time.
Resolves: RHEL-35743
The released Ruby 3.0.7 includes the following fixes.
* Fix buffer overread vulnerability in StringIO.
Resolves: RHEL-35744
* Fix RCE vulnerability with .rdoc_options in RDoc.
Resolves: RHEL-35746
* Fix arbitrary memory address read vulnerability with Regex search.
Resolves: RHEL-35747
Replaced the patch ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch
with the tiny patch ruby-ext-openssl-extconf.rb-ignore-OpenSSL-version-check.patch
not using the reverse logic. Because it was hard to maintain the patch file,
when the included file was updated on the upstream.
Added the following patches.
* Fix net-http test errors due to expired certificate.
The patch ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch was copied
from the part on the Fedora rawhide
<05a6c9c8f3>.
* Fix `TestNetHTTPS#test_session_reuse_but_expire` test failure cause.
The patch ruby-3.3.1-Fix-test-session-reuse-but-expire.patch was copied from
the part on Fedora rawhide
<a34f33bc50>.
As a reference, the part comes from Fedora ruby-3.3 branch
<99d21ecc4c>.
- Fix command injection vulnerability in RDoc.
- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
- Fix StartTLS stripping vulnerability in Net::IMAP
- Fix dependencies of gems with explicit source installed from a
different source.
Resolves: CVE-2021-31810
Resolves: CVE-2021-32066
Resolves: CVE-2021-31799
Resolves: CVE-2020-36327
