Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package ruby2.5. This is a maintainance-only new upstream
release that includes fixes for important bugs, and 6 security bugs.
Changelog:
ruby2.5 (2.5.5-1) unstable; urgency=medium
.
* New upstream version 2.5.5. Includes a series of bug fixes, most notably
for 6 security bugs discovered in Rubygems:
- CVE-2019-8320: Delete directory using symlink when decompressing tar
- CVE-2019-8321: Escape sequence injection vulnerability in verbose
- CVE-2019-8322: Escape sequence injection vulnerability in gem owner
- CVE-2019-8323: Escape sequence injection vulnerability in API response
handling
- CVE-2019-8324: Installing a malicious gem may lead to arbitrary code
execution
- CVE-2019-8325: Escape sequence injection vulnerability in errors
* Rebase patches. The following patches were applied upstream and dropped
from the Debian package:
- 0011-Update-for-tzdata-2018f.patch
- 0012-test-update-test-certificate.patch
The full diff against the version in testing is attached. It's a bit
big, but I have reviewed the changes and there is nothing worrysome from
my POV. You will notice that a few functions are renamed, but they are
not part of the API or the ABI since they are not exported in the -dev
header files. Having this version in buster will make the maintainance
in stable a lot easier.
unblock ruby2.5/2.5.5-1
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CRAP
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE=pt_BR:pt:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Attachment:
signature.asc
Description: PGP signature