Upgrade to Ruby 4.0.3.

Fix ERB: Arbitrary code execution via deserialization bypass (CVE-2026-41316) Resolves: RHEL-170911 Resolves: RHEL-170933
2026-04-28 17:09:54 +02:00 · 2026-04-28 17:09:54 +02:00 · 745dd99857
commit 745dd99857
parent a04fe22d88
2 changed files with 18 additions and 12 deletions
--- a/ruby4.0.spec
+++ b/ruby4.0.spec
@ -1,6 +1,6 @@
 %global major_version 4
 %global minor_version 0
-%global teeny_version 1
+%global teeny_version 3
 %global major_minor_version %{major_version}.%{minor_version}

 %global ruby_version %{major_minor_version}.%{teeny_version}
@ -37,19 +37,19 @@
 ## BUNDLED_GEMS_VERSIONS

 # Bundled libraries versions
-%global rubygems_version 4.0.3
+%global rubygems_version 4.0.6
 %global rubygems_molinillo_version 0.8.0
 %global rubygems_net_http_version 0.7.0
 %global rubygems_net_protocol_version 0.2.2
 %global rubygems_optparse_version 0.8.0
-%global rubygems_resolv_version 0.6.2
+%global rubygems_resolv_version 0.7.0
 %global rubygems_securerandom_version 0.4.1
 %global rubygems_timeout_version 0.4.4
 %global rubygems_tsort_version 0.2.0
 %global rubygems_uri_version 1.1.1

 # Default gems.
-%global bundler_version 4.0.3
+%global bundler_version 4.0.6
 %global bundler_connection_pool_version 2.5.4
 %global bundler_fileutils_version 1.8.0
 %global bundler_net_http_persistent_version 4.0.6
@ -64,7 +64,7 @@
 %global did_you_mean_version 2.0.0
 %global digest_version 3.2.1
 %global english_version 0.8.1
-%global erb_version 6.0.1
+%global erb_version 6.0.1.1
 %global error_highlight_version 0.7.1
 %global etc_version 1.4.6
 %global fcntl_version 1.3.0
@ -84,7 +84,7 @@
 %global optparse_version 0.8.1
 %global pp_version 0.6.3
 %global prettyprint_version 0.2.0
-%global prism_version 1.8.0
+%global prism_version 1.8.1
 %global psych_version 5.3.1
 %global resolv_version 0.7.0
 %global ruby2_keywords_version 0.0.5
@ -93,7 +93,7 @@
 %global singleton_version 0.3.0
 %global stringio_version 3.2.0
 %global strscan_version 3.1.6
-%global syntax_suggest_version 2.0.2
+%global syntax_suggest_version 2.0.3
 %global tempfile_version 0.3.1
 %global time_version 0.4.2
 %global timeout_version 0.6.0
@ -104,7 +104,7 @@
 %global weakref_version 0.1.4
 %global win32_registry_version 0.1.2
 %global yaml_version 0.4.0
-%global zlib_version 3.2.2
+%global zlib_version 3.2.3

 # Bundled gems.
 %global abbrev_version 0.1.2
@ -130,7 +130,7 @@
 %global ostruct_version 0.6.3
 %global power_assert_version 3.0.1
 %global prime_version 0.1.4
-%global pstore_version 0.2.0
+%global pstore_version 0.2.1
 %global racc_version 1.8.1
 %global rake_version 13.3.1
 %global rbs_version 3.10.0
@ -202,7 +202,7 @@
 Summary: An interpreter of object-oriented scripting language
 Name: ruby4.0
 Version: %{ruby_version}%{?development_release}
-Release: 33%{?dist}
+Release: 34%{?dist}
 # Licenses, which are likely not included in binary RPMs:
 # Apache-2.0:
 #   benchmark/gc/redblack.rb
@ -1624,7 +1624,6 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \

 %files doc -f .ruby-doc.en -f .ruby-doc.ja
 %doc README.md
-%doc ChangeLog
 %{?with_systemtap:%doc ruby-exercise.stp}
 %{_datadir}/ri

@ -1640,6 +1639,13 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 %{_libdir}/pkgconfig/%{pkgname}-%{major_minor_version}.pc

 %changelog
+* Wed Apr 29 2026 Tomas Juhasz <tjuhasz@redhat.com> - 4.0.3-34
+- Upgrade to Ruby 4.0.3.
+  Resolves: RHEL-170933
+- Fix ERB: Arbitrary code execution via deserialization bypass
+ (CVE-2026-41316)
+  Resolves: RHEL-170911
+
 * Thu Feb 05 2026 Jarek Prokop <jprokop@redhat.com> - 4.0.1-33
 - Initial package.
  Resolves: RHEL-133550
--- a/2
+++ b/2
@ -1,3 +1,3 @@
-SHA512 (ruby-4.0.1.tar.xz) = b67d9d1f97ba30200d103f8454e39dc2d0450819d51d91eb5451d44b0bafc56d2fa48bb1be6c5081babe5828f679984bad02b9bcee7441f6bd34c0a95b8f200b
 SHA512 (mysql2-0.5.7.gem) = 6a2dfbb5ff11ee0f1649ab380e7ef57bd9771e5309f76616f4b6d9688ebfc1fdd60dec61a00e3847d2f7159710b78770faae795b1ed2b05eb5c8554ba3c5a6f6
 SHA512 (pg-1.6.3.gem) = 5864a5b0983cf31b1ba2e4329723aa539c0e16162a32e6ed09b49af47a0f603b2fd6549f46e76cba3263f37b3ef22272f729c6c1d11cab92140c33768edeca1b
+SHA512 (ruby-4.0.3.tar.xz) = 5816fb264ce76df59f4bfe0cadceb45025fada2e61f2c14024d6b03f63d304820cddf94afcf82a4951fd12f3b0d9148683f856f3f2245d56042fc8407b6cbff5