Le jeudi 19 juin 2025, 13:41:48 heure d’été d’Europe centrale Jonathan Wiltshire a écrit :
> Control: tag -1 moreinfo
>
> On Tue, Apr 22, 2025 at 12:59:58AM +0200, Bastien Roucaries wrote:
> > [ Reason ]
> > last security release of ruby3.1 before EOL
> >
> > [ Impact ]
> > CVEs are not closed
> >
> > [ Tests ]
> > autopkgtest + test of package
> >
> > [ Risks ]
> > Low
> >
> > [ Checklist ]
> >
> > [X] *all* changes are documented in the d/changelog
> > [X] I reviewed all changes and I approve them
> > [X] attach debdiff against the package in (old)stable
> > [X] the issue is verified as fixed in unstable
> >
> > [ Changes ]
> > CVEs closed, regression patch also applied
> >
> > [ Other info ]
> > reviewed by tercerio and ruby team
>
> You're going to have to help me out a bit more here, I'm not parsing a
> debdiff which is so large it has to be compressed to find out what needs
> fixing and why it justifies a stable upload to an entire interpreter.
Ok fixed in 3.1.4 https://github.com/ruby/ruby/releases/tag/v3_1_4
CVE-2023-28755: ReDoS vulnerability in URI
CVE-2023-28756: ReDoS vulnerability in Time
Fixed in 3.1.5 https://github.com/ruby/ruby/releases/tag/v3_1_5
CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
CVE-2024-27280: Buffer overread vulnerability in StringIO
Fixed in 3.1.7
CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221
Other CVE are fixed by updating bundling depends
Backport of security fix was too hard, and this is only bug fix release so we backport an entire interpreter
Tercerio could you please add somethingAttachment:
signature.asc
Description: This is a digitally signed message part.