Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => pterjan

Fedora has issued an advisory for this on October 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/

Severity: normal => major

Cauldron now has 2.7.2.

Blocks: 27443 => (none)

Tests keep failing on 7 with:

[ 1339/17449] OpenSSL::TestPair#test_connect_accept_nonblock#<Thread:0x0c6c878c@/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/openssl/test_pair.rb:452 run> terminated with exception (report_on_exception is true):
/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/openssl/test_pair.rb:453:in `initialize': SSL_CTX_use_certificate: ee key too small (OpenSSL::SSL::SSLError)
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/openssl/test_pair.rb:453:in `new'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/openssl/test_pair.rb:453:in `block in test_connect_accept_nonblock'

It build fine here so I wonder if it's something in updates or updates_testing that my local iurt would not use.

I added some upstream patch which was supposed to help (http://svnweb.mageia.org/packages/updates/7/ruby/current/SOURCES/1e54903684aa3c9ea3fe54520157846a1b1f07be.patch?revision=1643789&view=markup) but it failed again.

Which openssl is it running against (1.0.2 or 1.1.x)?  Maybe you can disable the tests.

From http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20201108141104.pterjan.duvel.35384/log/ruby-2.5.8-22.mga7/install_deps-1.0.20201108141158.log it is using libopenssl-devel-1.1.0l-1.1.mga7.i586.rpm 

I added updates media here to try to reproduce, but yes worse case I'll disable that test given that it is unrelated to what is getting patched in this update.

It seems the submit somehow didn't use the latest commit, locally using updates and latest commit it builds fine do trying again.

Make sure when you use mgarepo submit, you always give the package name (7/ruby in this case) as an argument.  Otherwise it will submit from the commit you originally checked out in your current working directory, a misfeature of the tool.

Now all the ssl tests pass but I got similar failures in webrick https tests (this time SSL_CTX_use_certificate: ca md too weak). The strange part is that it build fine locally in iurt...

[17026/17445] TestWEBrickHTTPProxy#test_connect#<Thread:0x000000004719d3f8@/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:57 run> terminated with exception (report_on_exception is true):
/home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/protocol.rb:41:in `ssl_socket_connect': Net::OpenTimeout (Net::OpenTimeout)
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:985:in `connect'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:920:in `do_start'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:909:in `start'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:1458:in `request'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/test_httpproxy.rb:175:in `block (2 levels) in test_connect'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:59:in `block in start_server'
#<Thread:0x000000004719ea28@/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:57 run> terminated with exception (report_on_exception is true):
/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/lib/test/unit/assertions.rb:835:in `assert_join_threads': exceptions on 1 threads: (MiniTest::Assertion)
#<Thread:0x000000004719d3f8@/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:57 dead>:
/home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/protocol.rb:41:in `ssl_socket_connect': Net::OpenTimeout (Net::OpenTimeout)
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:985:in `connect'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:920:in `do_start'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:909:in `start'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/net/http.rb:1458:in `request'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/test_httpproxy.rb:175:in `block (2 levels) in test_connect'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:59:in `block in start_server'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:64:in `start_server'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:72:in `start_httpproxy'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/test_httpproxy.rb:166:in `block in test_connect'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:59:in `block in start_server'
#<Thread:0x000000004719ebb8@/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:50 run> terminated with exception (report_on_exception is true):
/home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/lib/minitest/unit.rb:201:in `assert': <[]> expected but was (MiniTest::Assertion)
<["[2020-11-08 20:51:57] ERROR OpenSSL::SSL::SSLError: SSL_CTX_use_certificate: ca md too weak\n" +
 "\t/home/iurt/rpmbuild/BUILD/ruby-2.5.8/lib/webrick/server.rb:259:in `initialize'\n"]>.
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/lib/test/unit/assertions.rb:37:in `assert'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/lib/test/unit/assertions.rb:300:in `assert_equal'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:36:in `block in <module:TestWEBrick>'
	from /home/iurt/rpmbuild/BUILD/ruby-2.5.8/test/webrick/utils.rb:53:in `block in start_server'
 = 60.08 sLeaked file descriptor: TestWEBrickHTTPProxy#test_connect: 27


However this one worries me more as I believe it's a feature of webrick to generate self signed certificates for local testing so this one may impact users and not only tests so I'll look more into it.

Looking at the code it does:

    def setup_ssl_context(config) # :nodoc:
      unless config[:SSLCertificate]
        cn = config[:SSLCertName]
        comment = config[:SSLCertComment]
        cert, key = Utils::create_self_signed_cert(1024, cn, comment)
        config[:SSLCertificate] = cert
        config[:SSLPrivateKey] = key
      end

It seems this was increased in https://github.com/ruby/webrick/commit/0ff321aa74a056faec3cfa77795003353fe8412d
 so I'll add that patch too.

You might need to change it to 4096.

I'm starting to wonder if there's some non-deterministic ordering issue (probably due to a dependency loop) with running scriplets and not getting the crypto policy set correctly.  I've seen a few reports of this issue popping up but haven't seen it myself and obviously it's working for most people, so I don't think there's anything inherently wrong with the packages.

ruby-2.5.8-22.mga7 is finally built (still uploading).

Advisory:
========================

Updated ruby packages fix security vulnerability:

A potential HTTP request smuggling vulnerability in WEBrick was reported.
WEBrick was too tolerant against an invalid Transfer-Encoding header. This may
lead to inconsistent interpretation between WEBrick and some HTTP proxy
servers, which may allow the attacker to “smuggle” a request (CVE-2020-25613).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613
https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
========================

Updated packages in core/updates_testing:
========================
ruby-2.5.8-22.mga7
libruby2.5-2.5.8-22.mga7
ruby-doc-2.5.8-22.mga7
ruby-devel-2.5.8-22.mga7
ruby-openssl-2.1.2-22.mga7
ruby-power_assert-1.1.1-22.mga7
ruby-irb-2.5.8-22.mga7
ruby-did_you_mean-1.2.0-22.mga7
ruby-io-console-0.4.6-22.mga7
ruby-psych-3.0.2-22.mga7
ruby-net-telnet-0.1.1-22.mga7
ruby-test-unit-3.2.7-22.mga7
ruby-xmlrpc-0.3.0-22.mga7

from ruby-2.5.8-22.mga7.src.rpm

Assignee: pterjan => qa-bugs
CC: (none) => pterjan

Just looking at this for mga7.
CVE-2020-25613
https://hackerone.com/reports/965267
$ ruby http_server.rb
[2020-11-11 16:43:54] INFO  WEBrick 1.4.2
[2020-11-11 16:43:54] INFO  ruby 2.5.8 (2020-03-31) [x86_64-linux]
[2020-11-11 16:43:54] INFO  WEBrick::HTTPServer#start: pid=19347 port=8080

The minimal server supplied runs OK but I have no idea about haproxy.  It is not supplied as a package in its own right so this looks like a dead end.  There is a set of python-twisted files for haproxy on site but no indication where the haproxy config file lives - nothing in /etc.  If there is an alternative to using haproxy I would need a great deal of help.

Moving on to testing ruby itself.  It has been working fine before updates.
Clean update for all packages.
All user-land scripts working without incident.

$ sudo gem install victor
Fetching: victor-0.3.2.gem (100%)
Successfully installed victor-0.3.2
Parsing documentation for victor-0.3.2
Installing ri documentation for victor-0.3.2
Done installing documentation for victor after 0 seconds
1 gem installed

Cut and pasted a script into irb and generated an on-screen digital clock.

More examples:
$ irb
irb(main):001:0> def leap_year( year )
irb(main):002:1>   if ( year.modulo( 100 ) == 0 ) then
irb(main):003:2*      j = year.modulo( 400 ) == 0 ? 1 : 0
irb(main):004:2>   else
irb(main):005:2>      j = year.modulo( 4 ) == 0 ? 1 : 0
irb(main):006:2>   end
irb(main):007:1>   j == 1
irb(main):008:1> end
=> :leap_year
irb(main):009:0> puts "#{year} is a leap year" if leap_year( 1900 )
=> nil
irb(main):010:0> leap_year( 1952 )
=> true
irb(main):011:0> leap_year( 2021 )
=> false
irb(main):012:0> leap_year( 2000 )
=> true

Oneliners OK.
$ ruby -e "puts(1.upto(31).inject(:+))"
496

Most of the results from whatrequires are ruby packages, as expected.

Others are epic5, ice-ruby, vim - vim probably when editing ruby scripts.   Tried that on a gemspec file and sure enough it delivers syntax highlighting.
After strace...
$ grep ruby gemspectest
openat(AT_FDCWD, "/lib64/libruby.so.2.5", O_RDONLY|O_CLOEXEC) = 3
.....
stat("/usr/share/vim/syntax/ruby.vim", {st_mode=S_IFREG|0644, st_size=41351, ...}) = 0
openat(AT_FDCWD, "/usr/share/vim/syntax/ruby.vim", O_RDONLY) = 3
stat("/usr/share/vim/syntax/ruby.vim", {st_mode=S_IFREG|0644, st_size=41351, ...}) = 0
read(3, "ubyRegexpParens\tmatchgroup=rubyR"..., 4096) = 4096
read(3, "chgroup=rubyRegexpDelimiter star"..., 4096) = 4096
....

So, ruby is still working in general but cannot say anything about server setups.  Letting it go.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Note on comment 13:  Of course <ruby -e "puts(16*31)"> will be a lot faster.

Validating update. Advisory and packages in Comment 12.
Asvisory pushed to SVN.

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: Triaged => advisory, validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0423.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED