GNU bug report logs - #62557
[PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755, 28756}]

Previous Next

Package: guix-patches;

Reported by: Remco van 't Veer <remco <at> remworks.net>

Date: Fri, 31 Mar 2023 05:25:01 UTC

Severity: normal

Tags: patch

Done: Andreas Enge <andreas <at> enge.fr>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62557 in the body.
You can then email your comments to 62557 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#62557; Package guix-patches. (Fri, 31 Mar 2023 05:25:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Remco van 't Veer <remco <at> remworks.net>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Fri, 31 Mar 2023 05:25:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Remco van 't Veer <remco <at> remworks.net>
To: guix-patches <at> gnu.org
Cc: Remco van 't Veer <remco <at> remworks.net>
Subject: [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755,
 28756}]
Date: Fri, 31 Mar 2023 07:24:23 +0200

Fixes: CVE-2023-28755 (ReDoS vulnerability in URI), and
CVE-2023-28756 (ReDoS vulnerability in Time).

* gnu/packages/ruby.scm (ruby-2.7-fixed): Update to 2.7.8.
---
 gnu/packages/ruby.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 3bf0f0f534..df01005846 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -29,7 +29,7 @@
 ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin <at> mailbox.org>
 ;;; Copyright © 2021 Giovanni Biscuolo <g <at> xelera.eu>
 ;;; Copyright © 2022 Philip McGrath <philip <at> philipmcgrath.com>
-;;; Copyright © 2022 Remco van 't Veer <remco <at> remworks.net>
+;;; Copyright © 2022, 2023 Remco van 't Veer <remco <at> remworks.net>
 ;;; Copyright © 2022 Taiju HIGASHI <higashi <at> taiju.info>
 ;;; Copyright © 2023 Yovan Naumovski <yovan <at> gorski.stream>
 ;;;
@@ -201,7 +201,7 @@ (define-public ruby-2.7
 (define ruby-2.7-fixed
   (package
     (inherit ruby-2.7)
-    (version "2.7.7")
+    (version "2.7.8")
     (source
      (origin
        (inherit (package-source ruby-2.7))
@@ -210,7 +210,7 @@ (define ruby-2.7-fixed
                            "/ruby-" version ".tar.gz"))
        (sha256
         (base32
-         "143vih5jzmrd2r5h94pa3qzml0ldii0qzs6g09jg6zqxd7djf0g1"))))))
+         "182vni66djmiqagwzfsd0za7x9k3zag43b88c590aalgphybdnn2"))))))
 
 (define-public ruby-3.0
   (package
-- 
2.39.2
Information forwarded to mail <at> cbaines.net, guix-patches <at> gnu.org:
bug#62557; Package guix-patches. (Fri, 19 May 2023 11:10:02 GMT) Full text and rfc822 format available.

Message #8 received at 62557 <at> debbugs.gnu.org (full text, mbox):

From: Remco van 't Veer <remco <at> remworks.net>
To: 62557 <at> debbugs.gnu.org
Cc: guix-devel <at> gnu.org, Andreas Enge <andreas <at> enge.fr>,
 Christopher Baines <mail <at> cbaines.net>, Remco van 't Veer <remco <at> remworks.net>
Subject: [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes CVE-2023-{28755,
 28756}]
Date: Fri, 19 May 2023 13:09:17 +0200

Fixes: CVE-2023-28755 (ReDoS vulnerability in URI), and
CVE-2023-28756 (ReDoS vulnerability in Time).

* gnu/packages/ruby.scm (ruby-2.7-fixed): Update to 2.7.8.
(ruby-2.7)[replacement]: Graft.
---
 gnu/packages/ruby.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index dbd4127343..eb84367d15 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -163,6 +163,7 @@ (define-public ruby-2.7
   (package
     (inherit ruby-2.6)
     (version "2.7.6")
+    (replacement ruby-2.7-fixed) ; security fixes
     (source
      (origin
        (inherit (package-source ruby-2.6))
@@ -200,7 +201,7 @@ (define-public ruby-2.7
 (define ruby-2.7-fixed
   (package
     (inherit ruby-2.7)
-    (version "2.7.7")
+    (version "2.7.8")
     (source
      (origin
        (inherit (package-source ruby-2.7))
@@ -209,7 +210,7 @@ (define ruby-2.7-fixed
                            "/ruby-" version ".tar.gz"))
        (sha256
         (base32
-         "143vih5jzmrd2r5h94pa3qzml0ldii0qzs6g09jg6zqxd7djf0g1"))))))
+         "182vni66djmiqagwzfsd0za7x9k3zag43b88c590aalgphybdnn2"))))))
 
 (define-public ruby-3.0
   (package

base-commit: 14c03807ba4bc81d42cf869f5b827f7da54ff843
-- 
2.40.1
Reply sent to Andreas Enge <andreas <at> enge.fr>:
You have taken responsibility. (Tue, 23 May 2023 15:10:02 GMT) Full text and rfc822 format available.
Notification sent to Remco van 't Veer <remco <at> remworks.net>:
bug acknowledged by developer. (Tue, 23 May 2023 15:10:02 GMT) Full text and rfc822 format available.

Message #13 received at 62557-done <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Remco van 't Veer <remco <at> remworks.net>
Cc: Christopher Baines <mail <at> cbaines.net>, 62557-done <at> debbugs.gnu.org
Subject: Re: [PATCH] gnu: ruby-2.7-fixed: Upgrade to 2.7.8 [fixes
 CVE-2023-{28755,28756}]
Date: Tue, 23 May 2023 17:08:51 +0200

Am Fri, May 19, 2023 at 01:09:17PM +0200 schrieb Remco van 't Veer:
> Fixes: CVE-2023-28755 (ReDoS vulnerability in URI), and
> CVE-2023-28756 (ReDoS vulnerability in Time).
> * gnu/packages/ruby.scm (ruby-2.7-fixed): Update to 2.7.8.
> (ruby-2.7)[replacement]: Graft.

Sorry for the delay, I needed to read up on grafts first. Everything looks
good, a dependent package builds, so I have pushed this and am closing
the bug.

Thanks!

Andreas
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 21 Jun 2023 11:24:07 GMT) Full text and rfc822 format available.
This bug report was last modified 1 year and 324 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.