[PATCH] gnu: ruby: Update to 3.0.4 [security fixes].

OpenSubmitted by Remco van 't Veer.
Details
2 participants
  • Maxime Devos
  • Remco van 't Veer
Owner
unassigned
Severity
normal
R
R
Remco van 't Veer wrote on 29 Jun 17:55 +0200
(address . guix-patches@gnu.org)(name . Remco van 't Veer)(address . remco@remworks.net)
20220629155555.5478-1-remco@remworks.net
Includes fixes for: CVE-2022-28738, CVE-2022-28739, CVE-2021-41819,
CVE-2021-41816, and CVE-2021-41817.

* gnu/packages/ruby.scm (ruby-3.0): Update to 3.0.4.
---
gnu/packages/ruby.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 68e5d8dfd6..41774b4907 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -28,6 +28,7 @@
 ;;; Copyright © 2021 EuAndreh <eu@euandre.org>
 ;;; Copyright © 2020 Tomás Ortín Fernández <tomasortin@mailbox.org>
 ;;; Copyright © 2021 Giovanni Biscuolo <g@xelera.eu>
+;;; Copyright © 2022 Remco van 't Veer <remco@remworks.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -189,7 +190,7 @@ (define-public ruby-2.7
 (define-public ruby-3.0
   (package
     (inherit ruby-2.7)
-    (version "3.0.2")
+    (version "3.0.4")
     (source
      (origin
        (method url-fetch)
@@ -198,7 +199,7 @@ (define-public ruby-3.0
                            "/ruby-" version ".tar.xz"))
        (sha256
         (base32
-         "0h2w2ms4gx2s96v3lzdr3add94bd2qqkhdjzaycmaqhg21rpf3jp"))))))
+         "1w7jpq3flnm007z5kj8kixgm8l4smb80w8ak4993a12j0irzq8lf"))))))
 
 (define-public ruby-3.1
   (package
-- 
2.36.1
M
M
Maxime Devos wrote on 30 Jun 12:07 +0200
b93a38c77b375c2c9e226c5b7616c1f9291eec8e.camel@telenet.be
Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]:
Toggle quote (15 lines)
>  (define-public ruby-3.0
>    (package
>      (inherit ruby-2.7)
> -    (version "3.0.2")
> +    (version "3.0.4")
>      (source
>       (origin
>         (method url-fetch)
> @@ -198,7 +199,7 @@ (define-public ruby-3.0
>                             "/ruby-" version ".tar.xz"))
>         (sha256
>          (base32
> -         "0h2w2ms4gx2s96v3lzdr3add94bd2qqkhdjzaycmaqhg21rpf3jp"))))))
> +         "1w7jpq3flnm007z5kj8kixgm8l4smb80w8ak4993a12j0irzq8lf"))))))

Hash matches what I get locally (without fallbacks).
The download matches the hashes at

Next step: compare diff ...
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYr110RccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7gSGAQDccuIHWNLCTM14Id1opsw0owQa
vWubVO2jqogsHcUzewEA265+BkXmFgf7LtL8cclTVjCjLSYIJYot1RCH7FtGAgs=
=C0nH
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 30 Jun 13:17 +0200
057aef5e94b2c535cd32f9b3b0a061c7ea77d914.camel@telenet.be
Maxime Devos schreef op do 30-06-2022 om 12:07 [+0200]:
Toggle quote (24 lines)
> Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]:
> >  (define-public ruby-3.0
> >    (package
> >      (inherit ruby-2.7)
> > -    (version "3.0.2")
> > +    (version "3.0.4")
> >      (source
> >       (origin
> >         (method url-fetch)
> > @@ -198,7 +199,7 @@ (define-public ruby-3.0
> >                             "/ruby-" version ".tar.xz"))
> >         (sha256
> >          (base32
> > -        
> "0h2w2ms4gx2s96v3lzdr3add94bd2qqkhdjzaycmaqhg21rpf3jp"))))))
> > +        
> "1w7jpq3flnm007z5kj8kixgm8l4smb80w8ak4993a12j0irzq8lf"))))))
>
> Hash matches what I get locally (without fallbacks).
> The download matches the hashes at
> <https://www.ruby-lang.org/en/news/2022/04/12/ruby-3-0-4-released/>.
>
> Next step: compare diff ...

Aside from some old bundling & generated file issues (for which I've
made another (non-blocking) bug report), diff didn't seem ‘suspicious’
while scrolling through it, though it would be rather easy to hide
something there.

So assuming it builds, I don't expect problems with this update.
(Also, it doesn't have any dependents.)

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYr2GVRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7lxHAQCI7Hvej9bOviCjLcb+ZZaL0Xs0
CwUeJL0p5t4L1aGsXwD/XIDdXjn7ajTDXWIBraYq6Cpg0OBgpS5BUUBDXPvT5ww=
=DM5f
-----END PGP SIGNATURE-----


?