Public bug reported: Scheduled-For: ubuntu-25.06 Ubuntu: 3.3.7-1ubuntu2 Debian Unstable: 3.3.8-2
A new release of ruby3.3 is available for merging from Debian Unstable. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the questing Release Notes: https://discourse.ubuntu.com/t/questing-quokka-release-notes/ ### New Debian Changes ### ruby3.3 (3.3.8-2) unstable; urgency=medium [ Antonio Terceiro ] * libruby3.3: drop dependencies on ruby-test-unit and ruby-minitest * libruby3.3: bump versioned dependencies on ruby-did-you-mean and ruby-webrick -- Lucas Kanashiro <[email protected]> Tue, 29 Apr 2025 07:58:14 -0300 ruby3.3 (3.3.8-1) unstable; urgency=medium * New upstream release. - Fix CVE-2025-25186 in net-imap. - Fix CVE-2025-27221 in URI. + d/p/CVE-2025-27221_*.patch: kept to fix the same issue in URI vendorized version in lib/{rubygems,bundler}. - Fix CVE-2025-27219 and CVE-2025-27220 in CGI. + d/p/CVE-2025-272{19,20}.patch: removed. * d/control: make libruby3.3 depend on versioned ruby-{csv,ruby2-keywords}. Those 2 gems used to have the same version in libruby3.1 and in their own source packages, and when a user tried to upgrade from bookworm to trixie the libruby3.1 was kept because it would satisfy the depedencies without installing a new package. Adding them with a version constraint to avoid keeping libruby3.1 around after the upgrade to ruby3.3. (Closes: #1099067) -- Lucas Kanashiro <[email protected]> Thu, 10 Apr 2025 15:59:06 -0300 ruby3.3 (3.3.7-2) unstable; urgency=medium * Fix CVE-2025-27221. The URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. - d/p/CVE-2025-27221_*.patch * Fix CVE-2025-27220. In the CGI gem, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. - d/p/CVE-2025-27220.patch * Fix CVE-2025-27219. In the CGI gem, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies. - d/p/CVE-2025-27219.patch * d/libruby3.3.symbols: update symbols for multiple architectures (Closes: #1093972). Thanks to John Paul Adrian Glaubitz! -- Lucas Kanashiro <[email protected]> Wed, 09 Apr 2025 15:42:58 -0300 ### Old Ubuntu Delta ### ruby3.3 (3.3.7-1ubuntu2) plucky; urgency=medium * SECURITY UPDATE: DoS in net-imap response parser - debian/patches/CVE-2025-25186.patch: limit number of UIDs in .bundle/gems/net-imap-0.4.9.1/lib/net/imap/response_parser.rb. - CVE-2025-25186 * SECURITY UPDATE: DoS in CGI Gem - debian/patches/CVE-2025-27219.patch: use String#concat instead of String#+ for reducing cpu usage in lib/cgi/cookie.rb. - CVE-2025-27219 * SECURITY UPDATE: ReDoS in CGI Gem - debian/patches/CVE-2025-27220.patch: escape/unescape unclosed tags as well in lib/cgi/util.rb, test/cgi/test_cgi_util.rb. - CVE-2025-27220 * SECURITY UPDATE: credential leak in URI gem - debian/patches/CVE-2025-27221-1.patch: truncate userinfo in lib/uri/generic.rb, test/uri/test_generic.rb. - debian/patches/CVE-2025-27221-2.patch: fix merger of URI with authority component in lib/uri/generic.rb, test/uri/test_generic.rb. - CVE-2025-27221 -- Marc Deslauriers <[email protected]> Tue, 04 Mar 2025 10:40:05 -0500 ruby3.3 (3.3.7-1ubuntu1) plucky; urgency=medium * Merge with Debian; remaining changes: - d/p/1001-fix-ensure-stack-memory-corruption.patch: add a patch to fix "ensure" structure stack memory use-after-free errors. - d/p/1002-ppc64le-fix-fiber-corruption.patch: add a patch to fix conditional registers getting clobbered on ppc64el during the Ruby fiber switching. -- Matthias Klose <[email protected]> Fri, 07 Feb 2025 10:40:57 +0100 ** Affects: ruby3.3 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in: ruby3.3 (Ubuntu) Milestone: None => ubuntu-25.06 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2110442 Title: Merge ruby3.3 from Debian Unstable for questing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ruby3.3/+bug/2110442/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
