Bug 17463

Summary: ruby needs to be updated to a newer branch in mga6
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Pascal Terjan <pterjan>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, mageia, mhrambo3501
Version: 6   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: ruby-2.2.5-15.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-01-08 01:58:47 CET 
As noted here:
https://www.ruby-lang.org/en/news/2015/12/16/ruby-2-0-0-p648-released/

Ruby 2.0.0 will be EOL soon, so we need to updated Mageia 5 to a newer branch.

Reproducible: 

Steps to Reproduce:
Comment 1 Nicolas Lécureuil 2016-11-18 12:33:25 CET 
any idea of what to do pascal ?

CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2016-11-24 09:45:45 CET 
pascal, to why version should we update ? which packages to update too ?
Comment 3 Pascal Terjan 2016-11-24 14:40:01 CET 
I would say none, and no idea of the packages to update.

If we want to do it we will need to rebuild all the ruby packages and fix/update all the ones not building.

We would also need to rebuild all the binary ones anyway.
Comment 4 David Walser 2017-08-19 22:38:26 CEST 
We are not going to do anything about this for Mageia 5, and we're just trying to get by with backporting security patches ourselves.

Unfortunately though we've put ourselves in the same position with Mageia 6, as 2.2.x will only be supported through March 2018:
https://www.ruby-lang.org/en/news/2017/04/01/support-of-ruby-2-1-has-ended/

It would be great if we could update it to 2.3 or 2.4.

Summary: ruby needs to be updated to a newer branch in mga5 => ruby needs to be updated to a newer branch in mga6
Source RPM: ruby-2.0.0.p648-1.mga4.src.rpm => ruby-2.2.5-15.mga6.src.rpm
Version: 5 => 6

Comment 5 Nicolas Lécureuil 2017-08-19 23:10:31 CEST 
pascal do you think this is something doable ?  ( we have at least 6 monthes to do it ).
Comment 6 Marc Krämer 2018-01-11 23:34:27 CET 
even though we don't update the whole package, we should provide security updates:
https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/

CC: (none) => mageia

Comment 7 David Walser 2018-01-12 03:12:34 CET 
(In reply to Marc Krämer from comment #6)
> even though we don't update the whole package, we should provide security
> updates:
> https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-
> 2017-0898/

Fortunately we've been able to patch security issues so far.  That particular issue was fixed in Bug 21678.
Comment 8 Mike Rambo 2019-11-06 13:10:46 CET 
Mageia 6 is EOL.

Resolution: (none) => OLD
CC: (none) => mrambo
Status: NEW => RESOLVED