#1103854 bookworm-pu: package ruby3.1/3.1.7-1~deb12u1

#1103854#5
Date:
2025-04-21 22:59:58 UTC
From:
To:
[ Reason ]
last security release of ruby3.1 before EOL

[ Impact ]
CVEs are not closed

[ Tests ]
autopkgtest + test of package

[ Risks ]
Low

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
CVEs closed, regression patch also applied

[ Other info ]
reviewed by tercerio and ruby team

#1103854#12
Date:
2025-06-19 11:41:48 UTC
From:
To:
Control: tag -1 moreinfo

You're going to have to help me out a bit more here, I'm not parsing a
debdiff which is so large it has to be compressed to find out what needs
fixing and why it justifies a stable upload to an entire interpreter.

#1103854#19
Date:
2025-06-27 21:04:47 UTC
From:
To:
Le jeudi 19 juin 2025, 13:41:48 heure d’été d’Europe centrale Jonathan Wiltshire a écrit :
Ok fixed in 3.1.4 https://github.com/ruby/ruby/releases/tag/v3_1_4
    CVE-2023-28755: ReDoS vulnerability in URI
    CVE-2023-28756: ReDoS vulnerability in Time
Fixed in 3.1.5 https://github.com/ruby/ruby/releases/tag/v3_1_5
    CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
    CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
    CVE-2024-27280: Buffer overread vulnerability in StringIO
Fixed in 3.1.7
  CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221

Other CVE are fixed by updating bundling depends

Backport of security fix was too hard, and this is only bug fix release so we backport an entire interpreter
Tercerio could you please add something

#1103854#26
Date:
2025-10-20 14:09:20 UTC
From:
To:
Hi,

I have prepared a debusine test here:
https://debusine.debian.net/debian/developers/work-request/151572/

As you can see the last stable update seems sane

May be it will help you to accept a full update

Backporting fixes for ruby/bookworm is hard and thus I will prefer to update to last 3.1 version that is well tested

rouca

#1103854#31
Date:
2026-05-06 12:46:29 UTC
From:
To:
Hi Bastien,

(finding this by accident while working on rails)

I believe a new upstream version has little chance to get accepted by
SRMs, as I think this never was done before for Debian interpreters or
base languages (Python, Perl, golang, etc.).

Upstream interpreters often fix bugs in stable branches, but such bug
fixes can introduce regressions in production environments that were
costly to test/audit/certify and are meant to stay stable/frozen (except
for security updates, preferably with non-intrusive fixes).

Additionally, I don't think we particularly need fixing e.g. all the
ReDoS vulnerabilities which have low impact but high complexity fixes.

Besides we already did a similar work for bullseye and downwards as part
of LTS/ELTS, which should be reasonably easy to up-port to bookworm.

So I would recommend proposing targeted fixes in this case.

Cheers!
Sylvain Beucler
Debian LTS Team

#1103854#36
Date:
2026-05-23 10:57:18 UTC
From:
To:
Control: tag -1 moreinfo

Sylvain summarises this far more eloquently than I can. I'm not accepting
the diff as it currently stands.

Thanks,