Package: ruby3.1 Version: 3.1.2-8.3 Severity: normal Tags: patch pending Dear maintainer,
I've prepared an NMU for ruby3.1 (versioned as 3.1.2-8.4) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. I'm aware that this doesn't fix the pile of CVEs open against ruby3.1. My motivation here is just to unblock openssh from migrating to testing; it's currently blocked on openssl, which in turn is blocked on ruby3.1 autopkgtest failures. For your convenience, I opened https://salsa.debian.org/ruby-team/ruby/-/merge_requests/8 which is equivalent to the attached diff here but broken down into separate commits. Thanks, -- Colin Watson (he/him) [[email protected]]
diff -Nru ruby3.1-3.1.2/debian/changelog ruby3.1-3.1.2/debian/changelog --- ruby3.1-3.1.2/debian/changelog 2024-03-17 17:06:13.000000000 +0000 +++ ruby3.1-3.1.2/debian/changelog 2024-08-26 14:00:57.000000000 +0100 @@ -1,3 +1,11 @@ +ruby3.1 (3.1.2-8.4) unstable; urgency=medium + + * Non-maintainer upload. + * Fix test failures with OpenSSL 3.3 (closes: #1075922). + * Deduplicate results from getaddrinfo (closes: #1069399). + + -- Colin Watson <[email protected]> Mon, 26 Aug 2024 14:00:57 +0100 + ruby3.1 (3.1.2-8.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru ruby3.1-3.1.2/debian/patches/deduplicate-getaddrinfo.patch ruby3.1-3.1.2/debian/patches/deduplicate-getaddrinfo.patch --- ruby3.1-3.1.2/debian/patches/deduplicate-getaddrinfo.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby3.1-3.1.2/debian/patches/deduplicate-getaddrinfo.patch 2024-08-26 01:35:23.000000000 +0100 @@ -0,0 +1,51 @@ +From: Colin Watson <[email protected]> +Date: Mon, 26 Aug 2024 01:35:10 +0100 +Subject: Deduplicate results from getaddrinfo + +In certain configurations it's possible to get duplicate results back +from getaddrinfo: for example, if you accidentally have more than one +line in /etc/hosts mapping the same name to the same IP address, then +Linux/glibc systems will return multiple identical entries. This minor +misconfiguration is normally harmless, but it caused this program to +fail with `EADDRINUSE`: + + require 'socket' + Socket.tcp_server_sockets('localhost', 0) + +Prior to https://github.com/ruby/net-http/pull/180, this caused a number +of `TestNetHTTP*` tests to fail, as seen in these Debian bugs: + + https://bugs.debian.org/1069399 (Ruby 3.1) + https://bugs.debian.org/1064685 (Ruby 3.2) + https://bugs.debian.org/1077462 (Ruby 3.3) + +It's easy enough to deduplicate these. + +Bug-Debian: https://bugs.debian.org/1069399 +Forwarded: https://github.com/ruby/ruby/pull/11456 +Last-Update: 2024-08-26 +--- + ext/socket/lib/socket.rb | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ext/socket/lib/socket.rb b/ext/socket/lib/socket.rb +index d756a32..19684b3 100644 +--- a/ext/socket/lib/socket.rb ++++ b/ext/socket/lib/socket.rb +@@ -668,10 +668,16 @@ class Socket < BasicSocket + # :stopdoc: + def self.ip_sockets_port0(ai_list, reuseaddr) + sockets = [] ++ ai_seen = {} + begin + sockets.clear + port = nil + ai_list.each {|ai| ++ ai_id = [ai.pfamily, ai.socktype, ai.protocol, ai.ip_address] ++ if ai_seen.include?(ai_id) ++ next ++ end ++ ai_seen[ai_id] = nil + begin + s = Socket.new(ai.pfamily, ai.socktype, ai.protocol) + rescue SystemCallError diff -Nru ruby3.1-3.1.2/debian/patches/openssl-3.3.patch ruby3.1-3.1.2/debian/patches/openssl-3.3.patch --- ruby3.1-3.1.2/debian/patches/openssl-3.3.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby3.1-3.1.2/debian/patches/openssl-3.3.patch 2024-08-26 01:35:23.000000000 +0100 @@ -0,0 +1,65 @@ +From: Jun Aruga <[email protected]> +Date: Tue, 12 Mar 2024 14:39:05 +0100 +Subject: test_asn1.rb: Remove the assertions of the time string format + without second. + +This commit fixes the following errors in the tests. +Because the OpenSSL project changed the code to make the time string format +without second invalid. So, we drop the assertions. + +``` +1) Error: test_generalizedtime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: generalizedtime is too short +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:433:in `test_generalizedtime' + 430: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39)) + 431: # LibreSSL 3.6.0 requires the seconds element + 432: return if libressl? + => 433: decode_test B(%w{ 18 0D }) + "201612081934Z".b, + 434: OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0)) + 435: # not implemented + 436: # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b, + +2) Error: test_utctime(OpenSSL::TestASN1): OpenSSL::ASN1::ASN1Error: utctime is too short +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:698:in `decode_test' +/home/runner/work/ruby-openssl/ruby-openssl/test/openssl/test_asn1.rb:411:in `test_utctime' + 408: end + 409: # Seconds is omitted. LibreSSL 3.6.0 requires it + 410: return if libressl? + => 411: decode_test B(%w{ 17 0B }) + "1609082343Z".b, + 412: OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0)) + 413: # not implemented + 414: # decode_test B(%w{ 17 11 }) + "500908234339+0930".b, +``` + +Bug-Debian: https://bugs.debian.org/1075922 +Origin: upstream, https://github.com/ruby/openssl/pull/728 +Last-Update: 2024-08-25 +--- + test/openssl/test_asn1.rb | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb +index 0fd7971..7e5b969 100644 +--- a/test/openssl/test_asn1.rb ++++ b/test/openssl/test_asn1.rb +@@ -404,9 +404,6 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase + def test_utctime + encode_decode_test B(%w{ 17 0D }) + "160908234339Z".b, + OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 39)) +- # Seconds is omitted +- decode_test B(%w{ 17 0B }) + "1609082343Z".b, +- OpenSSL::ASN1::UTCTime.new(Time.utc(2016, 9, 8, 23, 43, 0)) + begin + # possible range of UTCTime is 1969-2068 currently + encode_decode_test B(%w{ 17 0D }) + "690908234339Z".b, +@@ -432,8 +429,6 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase + OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 29)) + encode_decode_test B(%w{ 18 0F }) + "99990908234339Z".b, + OpenSSL::ASN1::GeneralizedTime.new(Time.utc(9999, 9, 8, 23, 43, 39)) +- decode_test B(%w{ 18 0D }) + "201612081934Z".b, +- OpenSSL::ASN1::GeneralizedTime.new(Time.utc(2016, 12, 8, 19, 34, 0)) + # not implemented + # decode_test B(%w{ 18 13 }) + "20161208193439+0930".b, + # OpenSSL::ASN1::GeneralizedTime.new(Time.new(2016, 12, 8, 19, 34, 39, "+09:30")) diff -Nru ruby3.1-3.1.2/debian/patches/series ruby3.1-3.1.2/debian/patches/series --- ruby3.1-3.1.2/debian/patches/series 2024-03-15 16:41:16.000000000 +0000 +++ ruby3.1-3.1.2/debian/patches/series 2024-08-26 01:35:23.000000000 +0100 @@ -17,3 +17,5 @@ openssl-3.0.1.patch Fix-splitting-relative-URI.patch Update-test-certificates.patch +openssl-3.3.patch +deduplicate-getaddrinfo.patch
_______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
