[PATCH] gnu: ruby: Update to 3.0.4 [security fixes].

Done

Details

3 participants

Marius Bakke
Maxime Devos
Remco van 't Veer

Owner: unassigned

Submitted by: Remco van 't Veer

Severity: normal

Remco van 't Veer wrote on 29 Jun 2022 17:55

Recipients:(address . guix-patches@gnu.org)(name . Remco van 't Veer)(address . remco@remworks.net)

Message-ID:20220629155555.5478-1-remco@remworks.net

Includes fixes for: CVE-2022-28738, CVE-2022-28739, CVE-2021-41819,

CVE-2021-41816, and CVE-2021-41817.

* gnu/packages/ruby.scm (ruby-3.0): Update to 3.0.4.

---

gnu/packages/ruby.scm | 5 +++--

1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 68e5d8dfd6..41774b4907 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -28,6 +28,7 @@
 ;;; Copyright © 2021 EuAndreh <eu@euandre.org>
 ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin@mailbox.org>
 ;;; Copyright © 2021 Giovanni Biscuolo <g@xelera.eu>
+;;; Copyright © 2022 Remco van 't Veer <remco@remworks.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -189,7 +190,7 @@ (define-public ruby-2.7
 (define-public ruby-3.0
   (package
     (inherit ruby-2.7)
-    (version "3.0.2")
+    (version "3.0.4")
     (source
      (origin
        (method url-fetch)
@@ -198,7 +199,7 @@ (define-public ruby-3.0
                            "/ruby-" version ".tar.xz"))
        (sha256
         (base32
-         "0h2w2ms4gx2s96v3lzdr3add94bd2qqkhdjzaycmaqhg21rpf3jp"))))))
+         "1w7jpq3flnm007z5kj8kixgm8l4smb80w8ak4993a12j0irzq8lf"))))))
 
 (define-public ruby-3.1
   (package
-- 
2.36.1

Maxime Devos wrote on 30 Jun 2022 12:07

Recipients:

Message-ID:b93a38c77b375c2c9e226c5b7616c1f9291eec8e.camel@telenet.be

Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]:

Toggle quote (15 lines)> �(define-public ruby-3.0
> �� (package
> ���� (inherit ruby-2.7)
> -��� (version "3.0.2")
> +��� (version "3.0.4")
> ���� (source
> ����� (origin
> ������� (method url-fetch)
> @@ -198,7 +199,7 @@ (define-public ruby-3.0
> ��������������������������� "/ruby-" version ".tar.xz"))
> ������� (sha256
> �������� (base32
> -�������� "0h2w2ms4gx2s96v3lzdr3add94bd2qqkhdjzaycmaqhg21rpf3jp"))))))
> +�������� "1w7jpq3flnm007z5kj8kixgm8l4smb80w8ak4993a12j0irzq8lf"))))))

Hash matches what I get locally (without fallbacks).

The download matches the hashes at

https://www.ruby-lang.org/en/news/2022/04/12/ruby-3-0-4-released/.

Next step: compare diff ...

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYr110RccbWF4aW1lZGV2

b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7gSGAQDccuIHWNLCTM14Id1opsw0owQa

vWubVO2jqogsHcUzewEA265+BkXmFgf7LtL8cclTVjCjLSYIJYot1RCH7FtGAgs=

=C0nH

-----END PGP SIGNATURE-----

Maxime Devos wrote on 30 Jun 2022 13:17

Recipients:

Message-ID:057aef5e94b2c535cd32f9b3b0a061c7ea77d914.camel@telenet.be

Maxime Devos schreef op do 30-06-2022 om 12:07 [+0200]:

Toggle quote (24 lines)> Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]:
> > �(define-public ruby-3.0
> > �� (package
> > ���� (inherit ruby-2.7)
> > -��� (version "3.0.2")
> > +��� (version "3.0.4")
> > ���� (source
> > ����� (origin
> > ������� (method url-fetch)
> > @@ -198,7 +199,7 @@ (define-public ruby-3.0
> > ��������������������������� "/ruby-" version ".tar.xz"))
> > ������� (sha256
> > �������� (base32
> > -��������
> "0h2w2ms4gx2s96v3lzdr3add94bd2qqkhdjzaycmaqhg21rpf3jp"))))))
> > +��������
> "1w7jpq3flnm007z5kj8kixgm8l4smb80w8ak4993a12j0irzq8lf"))))))
> 
> Hash matches what I get locally (without fallbacks).
> The download matches the hashes at
> <https://www.ruby-lang.org/en/news/2022/04/12/ruby-3-0-4-released/>.
> 
> Next step: compare diff ...

Aside from some old bundling & generated file issues (for which I've

made another (non-blocking) bug report), diff didn't seem ‘suspicious’

while scrolling through it, though it would be rather easy to hide

something there.

So assuming it builds, I don't expect problems with this update.

(Also, it doesn't have any dependents.)

Greetings,

Maxime.

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYr2GVRccbWF4aW1lZGV2

b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7lxHAQCI7Hvej9bOviCjLcb+ZZaL0Xs0

CwUeJL0p5t4L1aGsXwD/XIDdXjn7ajTDXWIBraYq6Cpg0OBgpS5BUUBDXPvT5ww=

=DM5f

-----END PGP SIGNATURE-----

Marius Bakke wrote on 29 Aug 2022 16:49

Recipients:(name . Remco van 't Veer)(address . remco@remworks.net)

Message-ID:87ilmbds01.fsf@gnu.org

Remco van 't Veer <remco@remworks.net> skriver:

Toggle quote (5 lines)

> Includes fixes for: CVE-2022-28738, CVE-2022-28739, CVE-2021-41819,

> CVE-2021-41816, and CVE-2021-41817.

> * gnu/packages/ruby.scm (ruby-3.0): Update to 3.0.4.

Applied, thanks!

-----BEGIN PGP SIGNATURE-----

iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYwzR/g8cbWFyaXVzQGdu

dS5vcmcACgkQ6HGLpZEUEHediwEA5sWnSQvk7qR1UVYxCxAHyAC3hSgt50mZYfDT

t0fbAo0A/j6jHA1RTkiSxpkzJWc8j1SuV1Z58TuviQCRHydArc4J

=ePXu

-----END PGP SIGNATURE-----

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 56303@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date