- Fix possible denial of service in resolv gem (CVE-2025-24294)
- Fix URI Credential Leakage Bypass previous fixes. (CVE-2025-61594)
- Fix REXML denial of service. (CVE-2025-58767)
Resolves: RHEL-130160
Resolves: RHEL-122028
Fix Net::IMAP vulnerable to possible DoS by memory exhaustion. (CVE-2025-25186)
Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)
Fix userinfo leakage in URI#join, URI#merge and URI#+. (CVE-2025-27221)
Resolves: RHEL-87342
Resolves: RHEL-86116
Fix DoS vulnerability in rexml.
(CVE-2024-39908)
(CVE-2024-41946)
(CVE-2024-43398)
Fix REXML DoS when parsing an XML having many specific characters such as
whitespace character, >] and ]>.
(CVE-2024-41123)
Upgrade by merging Fedora changes up to commit:
b7e197fb88
Exclude:
- Generate RPM dependencies with RPM 4.20 API
6bed1e3bd5
We don't have new enough RPM.
Resolves: RHEL-59035
Resolves: RHEL-57047
Resolves: RHEL-57059
Resolves: RHEL-57070
Resolves: RHEL-52802
- Fix command injection vulnerability in RDoc.
Resolves: CVE-2021-31799
- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
Resolves: CVE-2021-31810
- Fix StartTLS stripping vulnerability in Net::IMAP.
Resolves: CVE-2021-32066
- Fix dependencies of gems with explicit source installed from a different
source.
Resolves: CVE-2020-36327
* Extract RSS and REXML into separate subpackages, because they were moved from
default gems to bundled gems.
* Obsolete Net::Telnet and XMLRPC packages, because they were dropped from Ruby.
The detailed changelog leading to this release is preserved in
private-ruby-3.0 branch.
Move gemified xmlrpc into subpackage.
Move gemified openssl into subpackage.
Tk is removed from stdlib.
Extend 'gem_' macros for pre-release version support.
- Explicitly list RubyGems directories to avoid accidentaly packaged content.
- Split test-unit and power_assert gems into separate sub-packages.
- Drop libdb dependency in favor of gdbm.
