Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby2.5. This is a maintainance-only new upstream release that includes fixes for important bugs, and 6 security bugs. Changelog: ruby2.5 (2.5.5-1) unstable; urgency=medium . * New upstream version 2.5.5. Includes a series of bug fixes, most notably for 6 security bugs discovered in Rubygems: - CVE-2019-8320: Delete directory using symlink when decompressing tar - CVE-2019-8321: Escape sequence injection vulnerability in verbose - CVE-2019-8322: Escape sequence injection vulnerability in gem owner - CVE-2019-8323: Escape sequence injection vulnerability in API response handling - CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution - CVE-2019-8325: Escape sequence injection vulnerability in errors * Rebase patches. The following patches were applied upstream and dropped from the Debian package: - 0011-Update-for-tzdata-2018f.patch - 0012-test-update-test-certificate.patch The full diff against the version in testing is attached. It's a bit big, but I have reviewed the changes and there is nothing worrysome from my POV. You will notice that a few functions are renamed, but they are not part of the API or the ABI since they are not exported in the -dev header files. Having this version in buster will make the maintainance in stable a lot easier. unblock ruby2.5/2.5.5-1 -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_CRAP Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE=pt_BR:pt:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Attachment:
signature.asc
Description: PGP signature