[ubuntu/questing-proposed] ruby3.3 3.3.8-2ubuntu1 (Accepted)

[Athos Ribeiro]

ruby3.3 (3.3.8-2ubuntu1) questing; urgency=medium

  * Merge with Debian unstable (LP: #2110442). Remaining changes:
    - d/p/1001-fix-ensure-stack-memory-corruption.patch: add a patch to fix
      "ensure" structure stack memory use-after-free errors.
    - d/p/1002-ppc64le-fix-fiber-corruption.patch: add a patch to fix
      conditional registers getting clobbered on ppc64el during the
      Ruby fiber switching.
  * Dropped changes:
    - SECURITY UPDATE: DoS in net-imap response parser
      + debian/patches/CVE-2025-25186.patch: limit number of UIDs in
        .bundle/gems/net-imap-0.4.9.1/lib/net/imap/response_parser.rb.
      + CVE-2025-25186
      [ Fixed upstream in 3.3.8 ]
    - SECURITY UPDATE: DoS in CGI Gem
      + debian/patches/CVE-2025-27219.patch: use String#concat instead of
        String#+ for reducing cpu usage in lib/cgi/cookie.rb.
      + CVE-2025-27219
      [ Fixed in 3.3.7-2 ]
    - SECURITY UPDATE: ReDoS in CGI Gem
      + debian/patches/CVE-2025-27220.patch: escape/unescape unclosed tags as
        well in lib/cgi/util.rb, test/cgi/test_cgi_util.rb.
      + CVE-2025-27220
      [ Fixed in 3.3.7-2 ]
    - SECURITY UPDATE: credential leak in URI gem
      + debian/patches/CVE-2025-27221-1.patch: truncate userinfo in
        lib/uri/generic.rb, test/uri/test_generic.rb.
      + debian/patches/CVE-2025-27221-2.patch: fix merger of URI with
        authority component in lib/uri/generic.rb, test/uri/test_generic.rb.
      + CVE-2025-27221
      [ Fixed in 3.3.7-2 ]

Date: Mon, 09 Jun 2025 09:46:54 -0300
Changed-By: Athos Ribeiro <athos.ribeiro at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/ruby3.3/3.3.8-2ubuntu1
-------------- next part --------------
Format: 1.8
Date: Mon, 09 Jun 2025 09:46:54 -0300
Source: ruby3.3
Built-For-Profiles: noudeb
Architecture: source
Version: 3.3.8-2ubuntu1
Distribution: questing
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Athos Ribeiro <athos.ribeiro at canonical.com>
Launchpad-Bugs-Fixed: 2110442
Changes:
 ruby3.3 (3.3.8-2ubuntu1) questing; urgency=medium
 .
   * Merge with Debian unstable (LP: #2110442). Remaining changes:
     - d/p/1001-fix-ensure-stack-memory-corruption.patch: add a patch to fix
       "ensure" structure stack memory use-after-free errors.
     - d/p/1002-ppc64le-fix-fiber-corruption.patch: add a patch to fix
       conditional registers getting clobbered on ppc64el during the
       Ruby fiber switching.
   * Dropped changes:
     - SECURITY UPDATE: DoS in net-imap response parser
       + debian/patches/CVE-2025-25186.patch: limit number of UIDs in
         .bundle/gems/net-imap-0.4.9.1/lib/net/imap/response_parser.rb.
       + CVE-2025-25186
       [ Fixed upstream in 3.3.8 ]
     - SECURITY UPDATE: DoS in CGI Gem
       + debian/patches/CVE-2025-27219.patch: use String#concat instead of
         String#+ for reducing cpu usage in lib/cgi/cookie.rb.
       + CVE-2025-27219
       [ Fixed in 3.3.7-2 ]
     - SECURITY UPDATE: ReDoS in CGI Gem
       + debian/patches/CVE-2025-27220.patch: escape/unescape unclosed tags as
         well in lib/cgi/util.rb, test/cgi/test_cgi_util.rb.
       + CVE-2025-27220
       [ Fixed in 3.3.7-2 ]
     - SECURITY UPDATE: credential leak in URI gem
       + debian/patches/CVE-2025-27221-1.patch: truncate userinfo in
         lib/uri/generic.rb, test/uri/test_generic.rb.
       + debian/patches/CVE-2025-27221-2.patch: fix merger of URI with
         authority component in lib/uri/generic.rb, test/uri/test_generic.rb.
       + CVE-2025-27221
       [ Fixed in 3.3.7-2 ]
Checksums-Sha1:
 b295ae34c8bd20dbaacf0aa43e15e397bd2ac016 2711 ruby3.3_3.3.8-2ubuntu1.dsc
 4a0bba7c1d1e718391014b226d308cc1336eba5e 14507672 ruby3.3_3.3.8.orig.tar.xz
 3da1b7cdf6af8534d85075cd4c287bc0b927ab32 67532 ruby3.3_3.3.8-2ubuntu1.debian.tar.xz
 b5ed6f5254290ac4cf7165988218761620f69161 7322 ruby3.3_3.3.8-2ubuntu1_source.buildinfo
Checksums-Sha256:
 7826ac9692b76554ee075f22ac783c14343366e8052052cd64f49d85f5c33d20 2711 ruby3.3_3.3.8-2ubuntu1.dsc
 e2e1233ad275b7623a05edf23a01192626d1da454bdfe353a28a87acd8ef015c 14507672 ruby3.3_3.3.8.orig.tar.xz
 79d0d51386863f33690f265af01a532553f5c96cf7c56ae709f49389f69d816d 67532 ruby3.3_3.3.8-2ubuntu1.debian.tar.xz
 7fee5f0062013f258cfa3910c7e829ce3c33b1ab605889dad57a61b7dd187b69 7322 ruby3.3_3.3.8-2ubuntu1_source.buildinfo
Files:
 ff4043b4e6930ca6cd2da92491a36ad3 2711 ruby optional ruby3.3_3.3.8-2ubuntu1.dsc
 313ddd79a513aeeebfcc4bf10b55c861 14507672 ruby optional ruby3.3_3.3.8.orig.tar.xz
 5621b601c027778168d4dcb94a701fce 67532 ruby optional ruby3.3_3.3.8-2ubuntu1.debian.tar.xz
 075094c495b1d9644432cb179c208e86 7322 ruby optional ruby3.3_3.3.8-2ubuntu1_source.buildinfo
Original-Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers at lists.alioth.debian.org>