[Bug 2110442] Re: Merge ruby3.3 from Debian Unstable for questing

Tue, 17 Jun 2025 10:20:57 -0700 

This bug was fixed in the package ruby3.3 - 3.3.8-2ubuntu1

---------------
ruby3.3 (3.3.8-2ubuntu1) questing; urgency=medium

  * Merge with Debian unstable (LP: #2110442). Remaining changes:
    - d/p/1001-fix-ensure-stack-memory-corruption.patch: add a patch to fix
      "ensure" structure stack memory use-after-free errors.
    - d/p/1002-ppc64le-fix-fiber-corruption.patch: add a patch to fix
      conditional registers getting clobbered on ppc64el during the
      Ruby fiber switching.
  * Dropped changes:
    - SECURITY UPDATE: DoS in net-imap response parser
      + debian/patches/CVE-2025-25186.patch: limit number of UIDs in
        .bundle/gems/net-imap-0.4.9.1/lib/net/imap/response_parser.rb.
      + CVE-2025-25186
      [ Fixed upstream in 3.3.8 ]
    - SECURITY UPDATE: DoS in CGI Gem
      + debian/patches/CVE-2025-27219.patch: use String#concat instead of
        String#+ for reducing cpu usage in lib/cgi/cookie.rb.
      + CVE-2025-27219
      [ Fixed in 3.3.7-2 ]
    - SECURITY UPDATE: ReDoS in CGI Gem
      + debian/patches/CVE-2025-27220.patch: escape/unescape unclosed tags as
        well in lib/cgi/util.rb, test/cgi/test_cgi_util.rb.
      + CVE-2025-27220
      [ Fixed in 3.3.7-2 ]
    - SECURITY UPDATE: credential leak in URI gem
      + debian/patches/CVE-2025-27221-1.patch: truncate userinfo in
        lib/uri/generic.rb, test/uri/test_generic.rb.
      + debian/patches/CVE-2025-27221-2.patch: fix merger of URI with
        authority component in lib/uri/generic.rb, test/uri/test_generic.rb.
      + CVE-2025-27221
      [ Fixed in 3.3.7-2 ]

 -- Athos Ribeiro <[email protected]>  Mon, 09 Jun 2025
09:46:54 -0300

** Changed in: ruby3.3 (Ubuntu)
       Status: New => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-25186

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-27219

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-27220

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-27221

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2110442

Title:
  Merge ruby3.3 from Debian Unstable for questing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby3.3/+bug/2110442/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to