Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

To: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Chris Lamb <lamby@debian.org>, Debian LTS <debian-lts@lists.debian.org>, 1037178@bugs.debian.org, Bernhard Schmidt <berni@debian.org>
Subject: Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload
From: Lucas Kanashiro <kanashiro.duarte@gmail.com>
Date: Wed, 7 Jun 2023 08:22:04 -0300
Message-id: <[🔎] CA+a8s+ZmzPkA66t8g1Ux20D-0Uyc0RJ6ZFjMubERgDHW9SDe=A@mail.gmail.com>
In-reply-to: <[🔎] CAPP0f95S2mKqXpbcF0eoEf3o5OA-6EdQbH9SZpzgQpE_6C_0zw@mail.gmail.com>
References: <168612029304.2076068.14828092065434552286.reportbug@fliwatuet.svr02.mucip.net> <[🔎] ZIAxFHWEjTtNFEuP@eldamar.lan> <[🔎] CAPP0f97a_rf70f2u9Es4idWQE7YTWcJ_Bb1P=D5OSbChKNv58w@mail.gmail.com> <[🔎] 20230607090907.GA28422@inutil.org> <[🔎] CAPP0f95S2mKqXpbcF0eoEf3o5OA-6EdQbH9SZpzgQpE_6C_0zw@mail.gmail.com>

FWIW, in Ubuntu, we had a similar issue trying to fix this CVE in ruby2.7, and in the end we reverted the fix:

https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.10

Lucas Kanashiro.

Em qua., 7 de jun. de 2023 07:47, Utkarsh Gupta <guptautkarsh2102@gmail.com> escreveu:

Hiya,

On Wed, Jun 7, 2023 at 2:39 PM Moritz Muehlenhoff <jmm@inutil.org> wrote:
> Specifically https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
> states:
>
> | For Ruby 2.7: Update to uri 0.10.0.1
> | For Ruby 3.0: Update to uri 0.10.2
> | For Ruby 3.1: Update to uri 0.11.1
> | For Ruby 3.2: Update to uri 0.12.1
>
> And the 0.10 change (https://github.com/ruby/uri/commit/17861a53e499a2eabf7ba83d63914d0f01921d70)
> is different from the 0.12 one (https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175)
>
> There might be other changes needed for 2.5, not sure.

Yep, I'm taking a look to prep something for 2.5.

- u

Reply to:

References:
- Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
- Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>

Prev by Date: Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload
Next by Date: Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload
Previous by thread: Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload
Next by thread: Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload
Index(es):
- Date
- Thread