diff options
| author | Remco van 't Veer <remco@remworks.net> | 2025-03-27 11:25:00 +0100 |
|---|---|---|
| committer | Christopher Baines <mail@cbaines.net> | 2025-05-26 16:09:51 +0100 |
| commit | 72ac4a8fc6affa789df63382fc1b57c199d0c720 (patch) | |
| tree | 9197fceaa27bfbaed44afc9098f8924b96ff25f3 /gnu/packages/ruby.scm | |
| parent | 935705528d9b3119ea5bc79358c89fe5064666bf (diff) | |
gnu: ruby: Replace with 3.1.7.
Fixes: CVE-2024-27280 (Buffer overread vulnerability in StringIO),
CVE-2024-27281 (RCE vulnerability with .rdoc_options in RDoc),
CVE-2024-27282 (Arbitrary memory address read vulnerability with Regex
search), CVE-2025-27219 (Denial of Service in CGI::Cookie.parse)
CVE-2025-27220 (ReDoS in CGI::Util#escapeElement), and
CVE-2025-27221 (userinfo leakage in URI#join, URI#merge and URI#+).
* gnu/packages/ruby.scm (ruby-3.1.7): New variable.
(ruby-3.1)[replacement]: Replace with ruby-3.1.7.
Change-Id: I9c4758f4622d5844cc9a23c2865a3d0210a4ebae
Signed-off-by: Christopher Baines <mail@cbaines.net>
Diffstat (limited to 'gnu/packages/ruby.scm')
| -rw-r--r-- | gnu/packages/ruby.scm | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 80903c787c0..3b47b91f3bf 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -29,7 +29,7 @@ ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin@mailbox.org> ;;; Copyright © 2021 Giovanni Biscuolo <g@xelera.eu> ;;; Copyright © 2022 Philip McGrath <philip@philipmcgrath.com> -;;; Copyright © 2022-2024 Remco van 't Veer <remco@remworks.net> +;;; Copyright © 2022-2025 Remco van 't Veer <remco@remworks.net> ;;; Copyright © 2022 Taiju HIGASHI <higashi@taiju.info> ;;; Copyright © 2023 Yovan Naumovski <yovan@gorski.stream> ;;; Copyright © 2023, 2024 gemmaro <gemmaro.dev@gmail.com> @@ -250,6 +250,7 @@ a focus on simplicity and productivity.") (package (inherit ruby-3.0) (version "3.1.4") + (replacement ruby-3.1.7) (source (origin (method url-fetch) @@ -260,6 +261,22 @@ a focus on simplicity and productivity.") (base32 "0kzr792rk9n9yrqlyrkc1a0cmbk5y194f7v7p4vwjdk0ww860v8v")))))) ++;;; TODO: This newer version resolves serveral CVEs. Remove ++;;; after ungrafting ruby. +(define ruby-3.1.7 + (package + (inherit ruby-3.1) + (version "3.1.7") + (source + (origin + (method url-fetch) + (uri (string-append "http://cache.ruby-lang.org/pub/ruby/" + (version-major+minor version) + "/ruby-" version ".tar.xz")) + (sha256 + (base32 + "0ddhh3nzfnwwb0ks3rsmf3w1m71ban30wf61djn8gnkbbd2wr2k5")))))) + (define-public ruby-3.2 (package (inherit ruby-3.1) |