import UBI ruby4.0-4.0.3-34.el10_2

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,6 +1,3 @@
-/*/
-/ruby-*.tar.xz
-/*.rpm
-/mysql2-*.gem
-/pg-*.gem
-!/plans/
+mysql2-0.5.7.gem
+pg-1.6.3.gem
+ruby-4.0.3.tar.xz

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

plans/public.fmf

@@ -1,26 +0,0 @@
-summary: Public (CentOS) beakerlib tests
-
-adjust+:
-  - when: distro == centos-stream
-    because: Update all packages and reboot
-    discover+<:
-      - name: update-and-reboot
-        how: shell
-        tests:
-          - name: update
-            test: dnf update --refresh -y
-          - name: reboot
-            test: "[[ $TMT_REBOOT_COUNT == 0 ]] && tmt-reboot || echo Already rebooted"
-
-environment+:
-  RUBY: "ruby4.0"
-  GEM: "gem4.0"
-  BUNDLE: "bundle4.0"
-
-discover:
-  - name: centos
-    how: fmf
-    url: https://gitlab.com/redhat/centos-stream/tests/ruby
-    filter: 'component:ruby4.0'
-execute:
-    how: tmt

rpminspect.yaml

@@ -1,21 +0,0 @@
-badfuncs:
-  # Ruby implements the functionality for compatibility.
-  # Modern counterparts are also available and preferred.
-  allowed:
-    '/usr/lib*/ruby*/socket.so':
-      - gethostbyaddr
-      - gethostbyname
-
-patches:
-  # These patches are applied manually with the `patch` binary.
-  # The contents are unpacked with Ruby itself in %build.
-  # %build does not have %patch macros available for use.
-  ignore_list:
-    - rubygem-pg-1.3.0-remove-rpath.patch
-    - rubygem-mysql2-0.5.7-Disable-RPATH-completely-in-extconf.rb.patch
-
-rpmdeps:
-  ignore:
-    # The package will be pulled in transitively. Ruby takes care for the
-    # ABI compatibility in specific major.minor solib version.
-    requires: ^libruby.*\.so.*\(\)\(64bit\)$

ruby-4.0.3-Fix-a-format-string-injection-vulnerability.patch

@@ -14,9 +14,9 @@ index 8f9729ef28..a05c5e9657 100644
 --- a/ext/json/parser/parser.c
 +++ b/ext/json/parser/parser.c
 @@ -400,14 +400,9 @@ static void emit_parse_warning(const char *message, JSON_ParserState *state)
-
+ 
  #define PARSE_ERROR_FRAGMENT_LEN 32
-
+ 
 -#ifdef RBIMPL_ATTR_NORETURN
 -RBIMPL_ATTR_NORETURN()
 -#endif
@@ -26,7 +26,7 @@ index 8f9729ef28..a05c5e9657 100644
      unsigned char buffer[PARSE_ERROR_FRAGMENT_LEN + 3];
 -    long line, column;
 -    cursor_position(state, &line, &column);
-
+ 
      const char *ptr = "EOF";
      if (state->cursor && state->cursor < state->end) {
 @@ -442,11 +437,23 @@ static void raise_parse_error(const char *format, JSON_ParserState *state)
@@ -35,7 +35,7 @@ index 8f9729ef28..a05c5e9657 100644
      RB_GC_GUARD(msg);
 +    return message;
 +}
-
+ 
 +static VALUE parse_error_new(VALUE message, long line, long column)
 +{
      VALUE exc = rb_exc_new_str(rb_path2class("JSON::ParserError"), message);
@@ -52,12 +52,12 @@ index 8f9729ef28..a05c5e9657 100644
 +    VALUE message = build_parse_error_message(format, state, line, column);
 +    rb_exc_raise(parse_error_new(message, line, column));
  }
-
+ 
  #ifdef RBIMPL_ATTR_NORETURN
 @@ -896,6 +903,11 @@ static void raise_duplicate_key_error(JSON_ParserState *state, VALUE duplicate_k
          rb_inspect(duplicate_key)
      );
-
+ 
 +    long line, column;
 +    cursor_position(state, &line, &column);
 +    rb_str_concat(message, build_parse_error_message("", state, line, column)) ;
@@ -73,7 +73,7 @@ index ec9391909d..61ea35d1f9 100644
 @@ -411,6 +411,13 @@ def test_parse_duplicate_key
      end
    end
-
+ 
 +  def test_parse_duplicate_key_escape
 +    error = assert_raise(ParserError) do
 +      JSON.parse('{"%s%s%s%s":1,"%s%s%s%s":2}', allow_duplicate_key: false)

ruby.rpmlintrc

@@ -1,61 +0,0 @@
-# Keep matching patterns enough not to hide unintended errors and warnings.
-
-# There is no way to implement this with `%{SOURCE0}` without `%{_sourcedir}`.
-# The order in the .spec file could be possibly different.
-addFilter(r'ruby\.(spec|src):20: E: use-of-RPM_SOURCE_DIR$')
-
-# The used version is not obvious.
-addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-build_assert\)$')
-addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-check_type\)$')
-addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-container_of\)$')
-addFilter(r'ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-list\)$')
-
-# The template files do not have to have executable bits.
-addFilter(r'^rubygem-bundler\.noarch: E: non-executable-script /usr/share/gems/gems/bundler-[\d\.]+/lib/bundler/templates/[\w/\.]+ 644 /usr/bin/env ')
-
-# The bundled gem files permissions are overridden as 644 by `make install`.
-# https://bugs.ruby-lang.org/issues/17840
-# https://github.com/rubygems/rubygems/issues/5255
-# https://github.com/ruby/debug/pull/481
-# https://github.com/ruby/net-ftp/pull/12
-# https://github.com/ruby/net-imap/pull/53
-# https://github.com/ruby/net-pop/pull/7
-# https://github.com/ruby/prime/pull/16
-addFilter(r'^.*: E: non-executable-script /usr/share/gems/gems/(debug|net-(ftp|imap|pop)|prime)-[\d\.]+/bin/\w+ 644 ')
-
-# Ruby provides API to set the cipher list.
-addFilter(r'^ruby-libs\.\w+: W: crypto-policy-non-compliance-openssl /usr/lib(64)?/ruby/openssl.so SSL_CTX_set_cipher_list$')
-
-# `gethostbyname` is part of deprecated Ruby API. There is also request to drop the API altogether:
-# https://bugs.ruby-lang.org/issues/13097
-# https://bugs.ruby-lang.org/issues/17944
-addFilter(r'^ruby-libs\.\w+: W: binary-or-shlib-calls-gethostbyname /usr/lib(64)?/ruby/socket.so$')
-
-# Rake ships some examples.
-addFilter(r'^rubygem-rake.noarch: W: devel-file-in-non-devel-package /usr/share/gems/gems/rake-[\d\.]+/doc/example/\w+.c$')
-
-# Some executables don't have their manual pages. Is it worth of use help2man?
-addFilter(r'^.+: W: no-manual-page-for-binary (bundler|gem|racc|rbs|rdbg|rdoc|ruby-mri|syntax_suggest|typeprof)$')
-
-# Default gems does not come with any documentation.
-addFilter(r'^rubygem-(bigdecimal|io-console|json|psych)\.\w+: W: no-documentation$')
-
-# rubygems-devel ships only RPM macros and generators. Their placement is given
-# by RPM and can't be modified.
-addFilter(r'rubygems-devel.noarch: W: only-non-binary-in-usr-lib$')
-
-# Ignore some spelling false positives.
-# Ignore spelling of technical terms
-addFilter(r'^ruby-default-gems.noarch: E: spelling-error \(\'gemspec\'')
-addFilter(r'^ruby-libs.x86_64: E: spelling-error \(\'libruby\'')
-addFilter(r'^rubygem-test-unit.noarch: E: spelling-error \(\'xUnit\'')
-addFilter(r'^rubygem-psych.x86_64: E: spelling-error \(\'libyaml\'')
-addFilter(r'^rubygem-io-console.x86_64: E: spelling-error \(\'readline\'')
-# `pyaml` is part of URL
-addFilter(r'^rubygem-psych.x86_64: E: spelling-error \(\'pyyaml\'')
-# `de-` is actually prefix
-addFilter(r'^rubygem-psych.x86_64: E: spelling-error \(\'de\'')
-
-# It does not seemt to be worth of changing rubygems to archful package due to
-# single directory, unless it causes some real troubles.
-addFilter(r'^rubygems.noarch: E: noarch-with-lib64$')

ruby4.0.spec

@@ -335,8 +335,8 @@ Patch10: ruby-4.0.1-test_box-avoid-failure-with-program-suffix.patch
 # option in Ruby's main build.
 # https://github.com/brianmario/mysql2/issues/1201
 Patch11: rubygem-mysql2-0.5.7-Disable-RPATH-completely-in-extconf.rb.patch
-# CVE-2026-33210
-# Fix for Denial of Service or Information Disclosure
+# CVE-2026-33210 
+# Fix for Denial of Service or Information Disclosure 
 # via format string injection
 # in Ruby JSON
 # https://github.com/ruby/json/commit/393b41c3e5f87491e1e34fa59fa78ff6fa179a74
@@ -1648,13 +1648,13 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 %changelog
 * Wed Apr 29 2026 Tomas Juhasz <tjuhasz@redhat.com> - 4.0.3-34
 - Upgrade to Ruby 4.0.3.
-  Resolves: RHEL-170933
-- Fix ERB: Arbitrary code execution via deserialization bypass
+  Resolves: RHEL-171239
+- Fix ERB: Arbitrary code execution via bypass
  (CVE-2026-41316)
-  Resolves: RHEL-170911
+  Resolves: RHEL-170910
 - Fix JSON: Denial of Service or Information Disclosure via format string injection
  (CVE-2026-33210)
- Resolves: RHEL-169964
+ Resolves: RHEL-173457
 
 * Thu Feb 05 2026 Jarek Prokop <jprokop@redhat.com> - 4.0.1-33
 - Initial package.