Ruby has issued advisories today (April 12): http://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/ http://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/ The issues are fixed upstream in 2.7.6 and 3.1.2: http://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/ http://www.ruby-lang.org/en/news/2022/04/12/ruby-3-1-2-released/ Mageia 8 is only affected by the second issue.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.7.6 and 3.1.2
Ruby 3.1.2 building for Cauldron, working on 2.7.6 for 8.
Submitted ruby-2.7.6-33.4.mga8
Suggested advisory: ======================== Updated ruby packages fix a security vulnerability A buffer overrun was found in String-to-Float conversion (CVE-2022-28739). References: http://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/ ======================== Updated packages in core/updates_testing: ======================== lib{,64}ruby2.7-2.7.6-33.4.mga8 ruby-2.7.6-33.4.mga8 ruby-bigdecimal-2.0.0-33.4.mga8 ruby-bundler-2.2.24-33.4.mga8 ruby-devel-2.7.6-33.4.mga8 ruby-did_you_mean-1.4.0-33.4.mga8 ruby-doc-2.7.6-33.4.mga8 ruby-io-console-0.5.6-33.4.mga8 ruby-irb-2.7.6-33.4.mga8 ruby-json-2.3.0-33.4.mga8 ruby-net-telnet-0.2.0-33.4.mga8 ruby-openssl-2.1.3-33.4.mga8 ruby-power_assert-1.1.7-33.4.mga8 ruby-psych-3.1.0-33.4.mga8 ruby-rake-13.0.1-33.4.mga8 ruby-rdoc-6.2.1.1-33.4.mga8 ruby-RubyGems-3.1.2-33.4.mga8 ruby-test-unit-3.3.4-33.4.mga8 ruby-xmlrpc-0.3.0-33.4.mga8 Source RPMs: ruby-2.7.6-33.4.mga8.src.rpm
Assignee: pterjan => qa-bugs
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
mga8, x64 Using ruby every day, main scripting language. Updated the listed packages. Used irb for basic command-line tests as in earlier bugs. No regressions noted there. $ ruby -e "puts (11..17).inject( &:+ )" 98 Ran several local ruby scripts with Tk graphics. No problems. $ gem list *** LOCAL GEMS *** astro_moon (0.2) benchmark (default: 0.1.0) bigdecimal (2.0.0) bundler (2.2.24) cgi (default: 0.1.0.1) ......... $ sudo gem uninstall vagrant_cloud ERROR: While executing gem ... (Gem::InstallError) vagrant_cloud is not installed in GEM_HOME, try: gem uninstall -i /usr/share/gems vagrant_cloud $ sudo gem uninstall -i /usr/share/gems vagrant_cloud Successfully uninstalled vagrant_cloud-3.0.2 $ sudo gem install nokogiri Fetching racc-1.6.0.gem Building native extensions. This could take a while... Successfully installed racc-1.6.0 Fetching nokogiri-1.13.4-x86_64-linux.gem Successfully installed nokogiri-1.13.4-x86_64-linux Parsing documentation for racc-1.6.0 Installing ri documentation for racc-1.6.0 Parsing documentation for nokogiri-1.13.4-x86_64-linux Installing ri documentation for nokogiri-1.13.4-x86_64-linux Done installing documentation for racc, nokogiri after 1 seconds 2 gems installed facter produces a system inventory. $ facter architecture => x86_64 blockdevice_nvme0n1_model => Samsung SSD 970 EVO 1TB blockdevice_nvme0n1_size => 1000204886016 blockdevice_sda_model => Samsung SSD 860 [...] timezone => BST uniqueid => a8c06401 uptime => 15 days uptime_days => 15 uptime_hours => 361 uptime_seconds => 1302505 virtual => physical There are problems with puppet, currently in updates testing. Looks like ruby can be used.
CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Status comment: Fixed upstream in 2.7.6 and 3.1.2 => (none)
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0143.html
Status: NEW => RESOLVEDResolution: (none) => FIXED