Accepted rubygems 3.2.5-2+deb11u1 (source) into oldstable-security

To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
Subject: Accepted rubygems 3.2.5-2+deb11u1 (source) into oldstable-security
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 12 May 2025 20:50:25 +0000
Message-id: <[🔎] E1uEa6T-00Eixe-5n@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 23 Apr 2025 15:49:41 -0300
Source: rubygems
Architecture: source
Version: 3.2.5-2+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Lucas Kanashiro <kanashiro@debian.org>
Changes:
 rubygems (3.2.5-2+deb11u1) bullseye-security; urgency=medium
 .
   * Fix CVE-2025-27221.
     The URI handling methods (URI.join, URI#merge, URI#+) have an
     inadvertent leakage of authentication credentials because userinfo is
     retained even after changing the host.
      - d/p/CVE-2025-27221_*.patch
   * Fix CVE-2023-28755.
     A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby
     through 3.2.1. The URI parser mishandles invalid URLs that have specific
     characters. It causes an increase in execution time for parsing strings
     to URI objects.
      - d/p/CVE-2023-28755.patch
   * Fix CVE-2021-43809.
     In bundler versions before 2.2.33, when working with untrusted and
     apparently harmless `Gemfile`'s, it is not expected that they lead to
     execution of external code, unless that's explicit in the ruby code
     inside the `Gemfile` itself. However, if the `Gemfile` includes `gem`
     entries that use the `git` option with invalid, but seemingly harmless,
     values with a leading dash, this can be false. To handle dependencies
     that come from a Git repository instead of a registry, Bundler uses
     various commands, such as `git clone`. These commands are being
     constructed using user input (e.g. the repository URL). When building
     the commands, Bundler versions before 2.2.33 correctly avoid Command
     Injection vulnerabilities by passing an array of arguments instead of a
     command string. However, there is the possibility that a user input
     starts with a dash (`-`) and is therefore treated as an optional
     argument instead of a positional one. This can lead to Code Execution
     because some of the commands have options that can be leveraged to run
     arbitrary executables.
      - d/p/CVE-2021-43809.patch
   * d/t/control: add libyaml-dev to Depends of testsuite. Fix autopkgtest
     failure.
Checksums-Sha1:
 7428d44738b720e8e130248a2036eaa6f8de6570 2267 rubygems_3.2.5-2+deb11u1.dsc
 5567cba1abba70dbb17fb5cdd5727bb9a39d711c 11877854 rubygems_3.2.5.orig.tar.gz
 1a0a07a1ddf96d0e1fd457653731381ba972e73a 11808 rubygems_3.2.5-2+deb11u1.debian.tar.xz
 c820c9ddafb2b0829f08fd1937e1b2e96cd06daf 12309 rubygems_3.2.5-2+deb11u1_source.buildinfo
Checksums-Sha256:
 fae03c323a8fb593a9e5346228d0e3c946cd055266a80ec0bf2b112d95c902aa 2267 rubygems_3.2.5-2+deb11u1.dsc
 9fd3a66bc97b9d57f529a82e08076222743d3c9f040ba8be5b9763004c9c51b7 11877854 rubygems_3.2.5.orig.tar.gz
 4ec9e2e44147797be5c2c2f3cd2d784f8e0ee6d83f4cc0c90bdb49771c2cd760 11808 rubygems_3.2.5-2+deb11u1.debian.tar.xz
 01be009ff5f439ceaa6c72db37dba56df23b57f842f2e4b6569fb4c5d09ba451 12309 rubygems_3.2.5-2+deb11u1_source.buildinfo
Files:
 2bde5c4fa8f75718c3143784855059db 2267 ruby optional rubygems_3.2.5-2+deb11u1.dsc
 77bb8f284be42865789d49693bad6c66 11877854 ruby optional rubygems_3.2.5.orig.tar.gz
 75122a364a4cbbf65ef58e548d6c0896 11808 ruby optional rubygems_3.2.5-2+deb11u1.debian.tar.xz
 f47ebc4d4004df242c3ff4308430277d 12309 ruby optional rubygems_3.2.5-2+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmgiW9EVHGthbmFzaGly
b0BkZWJpYW4ub3JnAAoJEPgjonKYg8l8LykP/ROhxI9H3S+c5ExQd37tS/f3GdtL
/pbzzesN3HsUd+rt6GBgws3/Yl5KtvP1LMLypw07OVfnTjNjTsjvaSxU09gZj7Ef
An/P7uYZLqqjl1bo71YgWBn5AZdJfjJIA2ppysmbK2/VfJm4ezIPkhyion9K/4z+
hqI5DUBW+BP/b0nfo92pGV5phwbu6JlrBZRpSgiOdvUhArMefCyKxxDXCtOKrDqt
M92TrqbPNncU11ebW2uIbEYA01vRM84t/vvOJmKYjWdGc2k1+f2gwN685hbpK+hf
S+xiTKAHx/nQow6tFS69C77fLn5cUUFEG/TDT3MlonMgTJVurzzWZ/1n90+ZSkyJ
/7yQ8uBcXW+IECly51Yv+oxpM2CG7+WFqyi0IU9wf7c6hLRg0m8DG3yuGVpRqIVR
hYgte3M7IqAFI6O9jY71L139jlW/pFGyYhNIEoW4BRYZ+88qKldI3i9NJqNzpXsC
5o6QH82DSrvL28EhOVSccTH83a08m54XBEZT6u/nHAoItsTr9D5aBlp3kOKDkEDF
y40Ns1KrzdVF+pCZDXhi4cjdWr30HRJfVoc6FHW4yI6SmWAO8QM8pK7o583BdmNJ
aFNcKopxq09e0IOqVj+fvKlKHrAX9Qkuv7lFRYAjhwwbtx3zXH4NWHsovyBKM+Jq
UNmxNGu61sxNQRQ0
=awtM
-----END PGP SIGNATURE-----

Attachment: pgp1HSmX3pDVw.pgp
Description: PGP signature

Reply to:

Prev by Date: Accepted redis 5:6.0.16-1+deb11u6 (source) into oldstable-security
Next by Date: Accepted libeconf 0.3.8-1+deb11u1 (source) into oldstable-security
Previous by thread: Accepted redis 5:6.0.16-1+deb11u6 (source) into oldstable-security
Next by thread: Accepted libeconf 0.3.8-1+deb11u1 (source) into oldstable-security
Index(es):
- Date
- Thread