[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload



FWIW, in Ubuntu, we had a similar issue trying to fix this CVE in ruby2.7, and in the end we reverted the fix:

https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.10

Lucas Kanashiro.

Em qua., 7 de jun. de 2023 07:47, Utkarsh Gupta <guptautkarsh2102@gmail.com> escreveu:
Hiya,

On Wed, Jun 7, 2023 at 2:39 PM Moritz Muehlenhoff <jmm@inutil.org> wrote:
> Specifically https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
> states:
>
> | For Ruby 2.7: Update to uri 0.10.0.1
> | For Ruby 3.0: Update to uri 0.10.2
> | For Ruby 3.1: Update to uri 0.11.1
> | For Ruby 3.2: Update to uri 0.12.1
>
> And the 0.10 change (https://github.com/ruby/uri/commit/17861a53e499a2eabf7ba83d63914d0f01921d70)
> is different from the 0.12 one (https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175)
>
> There might be other changes needed for 2.5, not sure.

Yep, I'm taking a look to prep something for 2.5.


- u


Reply to: