Commit Graph

12 Commits

Author SHA1 Message Date
Jarek Prokop
3a6a1691ce Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755.
Fix for CVE-2023-36617.

616926b55e

Resolves: RHEL-5614
2024-06-17 19:29:34 +02:00
Jarek Prokop
4485ba4edc Renew test certificates for net-http tests.
Patch picked from Fedora commit:
05a6c9c8f3

Related: RHEL-5614
2024-06-17 19:28:51 +02:00
Jarek Prokop
73cefa374b Fix ReDoS vulnerability in Time.
Do not include the test case, as assert_linear_time was introduced in Ruby 2.7.
Backported from: Ruby 2.7.8
Backported from the following commits:
2cb830602f
e3f18f7d2e

Resolves: CVE-2023-28756
2023-06-26 13:41:10 +02:00
Jarek Prokop
838b4276a7 Fix ReDoS vulnerability in URI.
This patch was backported from Ruby 2.7.8.
Backported from:
<6855779d58>

Resolves: CVE-2023-28755
2023-06-26 13:41:10 +02:00
Jarek Prokop
446d49ffd1 Fix buffer overrun in String-to-Float conversion.
Backported from upstream Ruby 2.6.10:
<69f9992ed4>

Resolves: CVE-2022-28739
2023-06-26 13:41:10 +02:00
Jarek Prokop
064a52cca5 Let cookies use leading dot in the domain to retain compatibility.
After fixing CVE-2021-33621, the domain parameter regex does not accept
leading dot. This is a behavior difference, that this commit fixes.

5e09d632f3

Related: CVE-2021-33621
2023-06-26 13:40:21 +02:00
Jarek Prokop
070d6a38cc Fix HTTP response splitting in CGI.
Backported from upstream Ruby 2.7.7, commit:
<7cf697179d>

Test "CGICookieTest#test_cgi_cookie_new_with_domain" was adjusted to
deal with Ruby 2.5 not allowing String as key with double splat operator.

Resolves: CVE-2021-33621
2023-06-22 15:19:31 +02:00
Jarek Prokop
59f3e8c0e5 Fix Ruby test failures regarding tzdata and git.
The commit is a cherry-pick from Fedora Rawhide 79d75fdcdd .
The commit is a cherry-pick from Fedora Rawhide f8ef5964d0 .

The purpose is to fix Build failures.

Related: rhbz#2210326
2023-06-22 15:18:50 +02:00
Todd Zullinger
1024e138f4 Fix rdoc parsing of nil text tokens.
With ruby < 2.6.0 / rdoc < 6.0.2, rdoc fails to parse valid ruby code,
resulting in spurious build failures.  An example is asciidoctor >
2.0.15 (though 2.0.20, currently)

While attempting to build asciidoctor-2.0.20 for Fedora and RHEL+EPEL
releases, the following error fails the build on RHEL+EPEL 8:

    Installing ri documentation for asciidoctor-2.0.20
    Installing darkfish documentation for asciidoctor-2.0.20
    ERROR:  While executing gem ... (RDoc::Error)
        error generating Asciidoctor/Converter/ManPageConverter.html:
        no implicit conversion of nil into String (TypeError)

Resolves: rhbz#2210326
2023-06-07 11:58:34 +02:00
Jarek Prokop
5eba2e7338 Fix import.
Reset the branch state due to improper import.
RHEL git ref that the branch was reset to
<8f03c99f75693fc49f7edd264b7d807fa9c61282>.

Summar of the updates:
* `.gitignore`
Restore looser rules for matching.
* `.gitlab/merge_request_templates/default.md`
Merge Request template file is picked up only from the main branch.
Therefore not needed for this branch.
* `ruby.rpmlintrc`
Was never present for the Ruby 2.5 module.
* `*.patch`
Delete patches wrongly imported from another repository.
* `gating.yaml`
Was never present for the Ruby 2.5 module.

Related: rhbz#2210326
2023-06-07 11:58:34 +02:00
James Antill
0973360d41 Import rpm: 6a79cc8230d437ba4c0e950842723d4d37ce3c11 2023-02-23 23:50:08 -05:00
James Antill
d3619c094f Import rpm: 6a79cc8230d437ba4c0e950842723d4d37ce3c11 2023-02-20 02:13:04 -05:00