| Message ID | 20220522194732.2962580-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/ruby: security bump to version 3.1.2 | expand |
Hi Peter, Tested-By: Waldemar Brodkorb <wbx@openadk.org> There is an issue with libressl: ossl_pkey.c: In function ‘ossl_pkey_export_traditional’: ossl_pkey.c:681:62: error: invalid use of incomplete typedef ‘EVP_PKEY’ {aka ‘struct evp_pkey_st’} 681 | EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &aname, pkey->ameth); Any idea? best regards Waldemar Peter Korsgaard wrote, > Fixes the following security issues: > > - CVE-2022-28738: Double free in Regexp compilation > - CVE-2022-28739: Buffer overrun in String-to-Float conversion > > For more details, see the announcement: > https://www.ruby-lang.org/en/news/2022/04/12/ruby-3-1-2-released/ > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/ruby/ruby.hash | 5 +++-- > package/ruby/ruby.mk | 2 +- > 2 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/package/ruby/ruby.hash b/package/ruby/ruby.hash > index 90e7627a97..da6221ec50 100644 > --- a/package/ruby/ruby.hash > +++ b/package/ruby/ruby.hash > @@ -1,5 +1,6 @@ > -# https://www.ruby-lang.org/en/news/2021/12/25/ruby-3-1-0-released/ > -sha512 a2bb6b5e62d5fa06dd9c30cf84ddcb2c27cb87fbaaffd2309a44391a6b110e1dde6b7b0d8c659b56387ee3c9b4264003f3532d5a374123a7c187ebba9293f320 ruby-3.1.0.tar.xz > +# https://www.ruby-lang.org/en/news/2022/04/12/ruby-3-1-2-released/ > +sha512 4a74e9efc6ea4b3eff4fec7534eb1fff4794d021531defc2e9937e53c6668db8ecdc0fff2bc23d5e6602d0df344a2caa85b31c5414309541e3d5313ec82b6e21 ruby-3.1.2.tar.xz > + > # License files, Locally calculated > sha256 794c384f94396ab07e3e6f53a9f8be093facb7eb4193266024302b93b29e12dc LEGAL > sha256 967586d538a28955ec2541910cf63c5ac345fcdea94bfb1f1705a1f6eb36bcbb COPYING > diff --git a/package/ruby/ruby.mk b/package/ruby/ruby.mk > index 4f3b94f83b..cbdfa4b826 100644 > --- a/package/ruby/ruby.mk > +++ b/package/ruby/ruby.mk > @@ -5,7 +5,7 @@ > ################################################################################ > > RUBY_VERSION_MAJOR = 3.1 > -RUBY_VERSION = $(RUBY_VERSION_MAJOR).0 > +RUBY_VERSION = $(RUBY_VERSION_MAJOR).2 > RUBY_VERSION_EXT = 3.1.0 > RUBY_SITE = http://cache.ruby-lang.org/pub/ruby/$(RUBY_VERSION_MAJOR) > RUBY_SOURCE = ruby-$(RUBY_VERSION).tar.xz > -- > 2.30.2 >
On Mon, 23 May 2022 14:39:11 +0200 Waldemar Brodkorb <wbx@openadk.org> wrote: > Hi Peter, > > Tested-By: Waldemar Brodkorb <wbx@openadk.org> > > > There is an issue with libressl: > ossl_pkey.c: In function ‘ossl_pkey_export_traditional’: > ossl_pkey.c:681:62: error: invalid use of incomplete typedef > ‘EVP_PKEY’ {aka ‘struct evp_pkey_st’} > 681 | EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &aname, > pkey->ameth); > > Any idea? Indeed, but this issue is already reproducible before the ruby security bump, so it needs to be fixed separately. Best regards, Thomas
On Sun, 22 May 2022 21:47:32 +0200 Peter Korsgaard <peter@korsgaard.com> wrote: > Fixes the following security issues: > > - CVE-2022-28738: Double free in Regexp compilation > - CVE-2022-28739: Buffer overrun in String-to-Float conversion > > For more details, see the announcement: > https://www.ruby-lang.org/en/news/2022/04/12/ruby-3-1-2-released/ > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/ruby/ruby.hash | 5 +++-- > package/ruby/ruby.mk | 2 +- > 2 files changed, 4 insertions(+), 3 deletions(-) Applied to master, thanks. Thomas
diff --git a/package/ruby/ruby.hash b/package/ruby/ruby.hash index 90e7627a97..da6221ec50 100644 --- a/package/ruby/ruby.hash +++ b/package/ruby/ruby.hash @@ -1,5 +1,6 @@ -# https://www.ruby-lang.org/en/news/2021/12/25/ruby-3-1-0-released/ -sha512 a2bb6b5e62d5fa06dd9c30cf84ddcb2c27cb87fbaaffd2309a44391a6b110e1dde6b7b0d8c659b56387ee3c9b4264003f3532d5a374123a7c187ebba9293f320 ruby-3.1.0.tar.xz +# https://www.ruby-lang.org/en/news/2022/04/12/ruby-3-1-2-released/ +sha512 4a74e9efc6ea4b3eff4fec7534eb1fff4794d021531defc2e9937e53c6668db8ecdc0fff2bc23d5e6602d0df344a2caa85b31c5414309541e3d5313ec82b6e21 ruby-3.1.2.tar.xz + # License files, Locally calculated sha256 794c384f94396ab07e3e6f53a9f8be093facb7eb4193266024302b93b29e12dc LEGAL sha256 967586d538a28955ec2541910cf63c5ac345fcdea94bfb1f1705a1f6eb36bcbb COPYING diff --git a/package/ruby/ruby.mk b/package/ruby/ruby.mk index 4f3b94f83b..cbdfa4b826 100644 --- a/package/ruby/ruby.mk +++ b/package/ruby/ruby.mk @@ -5,7 +5,7 @@ ################################################################################ RUBY_VERSION_MAJOR = 3.1 -RUBY_VERSION = $(RUBY_VERSION_MAJOR).0 +RUBY_VERSION = $(RUBY_VERSION_MAJOR).2 RUBY_VERSION_EXT = 3.1.0 RUBY_SITE = http://cache.ruby-lang.org/pub/ruby/$(RUBY_VERSION_MAJOR) RUBY_SOURCE = ruby-$(RUBY_VERSION).tar.xz
Fixes the following security issues: - CVE-2022-28738: Double free in Regexp compilation - CVE-2022-28739: Buffer overrun in String-to-Float conversion For more details, see the announcement: https://www.ruby-lang.org/en/news/2022/04/12/ruby-3-1-2-released/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/ruby/ruby.hash | 5 +++-- package/ruby/ruby.mk | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-)