- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Bastien Roucaries
- Date:
- 2026-05-23 10:59:02 UTC
- Severity:
- normal
- Tags:
[ Reason ] last security release of ruby3.1 before EOL [ Impact ] CVEs are not closed [ Tests ] autopkgtest + test of package [ Risks ] Low [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] CVEs closed, regression patch also applied [ Other info ] reviewed by tercerio and ruby team
Control: tag -1 moreinfo You're going to have to help me out a bit more here, I'm not parsing a debdiff which is so large it has to be compressed to find out what needs fixing and why it justifies a stable upload to an entire interpreter.
Le jeudi 19 juin 2025, 13:41:48 heure d’été d’Europe centrale Jonathan Wiltshire a écrit :
Ok fixed in 3.1.4 https://github.com/ruby/ruby/releases/tag/v3_1_4
CVE-2023-28755: ReDoS vulnerability in URI
CVE-2023-28756: ReDoS vulnerability in Time
Fixed in 3.1.5 https://github.com/ruby/ruby/releases/tag/v3_1_5
CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
CVE-2024-27280: Buffer overread vulnerability in StringIO
Fixed in 3.1.7
CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221
Other CVE are fixed by updating bundling depends
Backport of security fix was too hard, and this is only bug fix release so we backport an entire interpreter
Tercerio could you please add something
Hi, I have prepared a debusine test here: https://debusine.debian.net/debian/developers/work-request/151572/ As you can see the last stable update seems sane May be it will help you to accept a full update Backporting fixes for ruby/bookworm is hard and thus I will prefer to update to last 3.1 version that is well tested rouca
Hi Bastien, (finding this by accident while working on rails) I believe a new upstream version has little chance to get accepted by SRMs, as I think this never was done before for Debian interpreters or base languages (Python, Perl, golang, etc.). Upstream interpreters often fix bugs in stable branches, but such bug fixes can introduce regressions in production environments that were costly to test/audit/certify and are meant to stay stable/frozen (except for security updates, preferably with non-intrusive fixes). Additionally, I don't think we particularly need fixing e.g. all the ReDoS vulnerabilities which have low impact but high complexity fixes. Besides we already did a similar work for bullseye and downwards as part of LTS/ELTS, which should be reasonably easy to up-port to bookworm. So I would recommend proposing targeted fixes in this case. Cheers! Sylvain Beucler Debian LTS Team
Control: tag -1 moreinfo Sylvain summarises this far more eloquently than I can. I'm not accepting the diff as it currently stands. Thanks,