Ruby has issued an advisory on November 22: http://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/ The issue is fixed upstream in 2.7.7 and 3.1.3: http://www.ruby-lang.org/en/news/2022/11/24/ruby-2-7-7-released/ http://www.ruby-lang.org/en/news/2022/11/24/ruby-3-1-3-released/ Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.7.7 and 3.1.3Whiteboard: (none) => MGA8TOO
Fedora has issued an advisory for this today (December 8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/
I prepared Ruby 3.1.3 last week and have been using it but forgot to commit/submit and had missed it was a security update, I'll try to do that tonight and prepare the update for Mageia 8.
Updated packages uploaded for Mageia 8 and Cauldron by Pascal. ruby-2.7.7-33.6.mga8 libruby2.7-2.7.7-33.6.mga8 ruby-rdoc-6.2.1.1-33.6.mga8 ruby-devel-2.7.7-33.6.mga8 ruby-bundler-2.2.24-33.6.mga8 ruby-RubyGems-3.1.2-33.6.mga8 ruby-test-unit-3.3.4-33.6.mga8 ruby-openssl-2.1.4-33.6.mga8 ruby-rake-13.0.1-33.6.mga8 ruby-irb-2.7.7-33.6.mga8 ruby-psych-3.1.0-33.6.mga8 ruby-bigdecimal-2.0.0-33.6.mga8 ruby-json-2.3.0-33.6.mga8 ruby-xmlrpc-0.3.0-33.6.mga8 ruby-net-telnet-0.2.0-33.6.mga8 ruby-io-console-0.5.6-33.6.mga8 ruby-power_assert-1.1.7-33.6.mga8 ruby-did_you_mean-1.4.0-33.6.mga8 ruby-doc-2.7.7-33.6.mga8 from ruby-2.7.7-33.6.mga8.src.rpm
Assignee: pterjan => qa-bugsStatus comment: Fixed upstream in 2.7.7 and 3.1.3 => (none)CC: (none) => pterjanWhiteboard: MGA8TOO => (none)
Version: Cauldron => 8
mga8, x64 All packages installed cleanly. I use ruby all the time at a basic level. All my gui scripts are still working. $ gem list *** LOCAL GEMS *** activemodel (4.2.11.3) activeresource (4.0.0) activesupport (4.2.11.3) ast (2.4.2) astro_moon (0.2) [...] xmlrpc (0.3.0) yaml (default: 0.1.0) zlib (default: 1.1.0) $ sudo gem uninstall -i /usr/share/gems nokogiri You have requested to uninstall the gem: nokogiri-1.11.7 mechanize-2.7.6 depends on nokogiri (~> 1.6) mime-types-data-3.2019.1009 depends on nokogiri (~> 1.6, development) webrobots-0.1.2 depends on nokogiri (>= 1.4.7, ~> 1.4, development) If you remove this gem, these dependencies will not be met. Continue with Uninstall? [yN] y Remove executables: nokogiri in addition to the gem? [Yn] n Executables and scripts will remain installed. Successfully uninstalled nokogiri-1.11.7 $ sudo gem uninstall -i /usr/share/gems nokogiri Gem 'nokogiri' is not installed lcl@canopus:ruby $ sudo gem install nokogiri Fetching racc-1.6.1.gem Building native extensions. This could take a while... Successfully installed racc-1.6.1 Fetching nokogiri-1.13.10-x86_64-linux.gem Successfully installed nokogiri-1.13.10-x86_64-linux Parsing documentation for racc-1.6.1 Installing ri documentation for racc-1.6.1 Parsing documentation for nokogiri-1.13.10-x86_64-linux Installing ri documentation for nokogiri-1.13.10-x86_64-linux Done installing documentation for racc, nokogiri after 1 seconds 2 gems installed $ sudo gem install dead_end Fetching dead_end-4.0.0.gem Successfully installed dead_end-4.0.0 Parsing documentation for dead_end-4.0.0 Installing ri documentation for dead_end-4.0.0 Done installing documentation for dead_end after 0 seconds 1 gem installed Tried out the REPL: $ irb irb(main):001:0> fruit = %(apples pears oranges lemons).upcase => "APPLES PEARS ORANGES LEMONS" irb(main):002:0> a = [7, 1, -11, 3] => [7, 1, -11, 3] irb(main):003:0> b = [3.1]*5 => [3.1, 3.1, 3.1, 3.1, 3.1] irb(main):004:0> c = [a, b, Math.cos(0.0)] => [[7, 1, -11, 3], [3.1, 3.1, 3.1, 3.1, 3.1], 1.0] irb(main):005:0> c.flatten.inject(:+) => 16.5 irb(main):006:0> exit Oneliners: $ ruby -e "puts (1..10).inject( &:+ )" 55 Create file containing names of all fonts on the system. $ ruby -r tk -e "TkFont.families.each{|font| puts font}" > allfonts $ cat allfonts | sort -u $ head systemfonts Acadian!" Acadian™ .... Shallow test of puppet: $ strace -o puppet.trace puppet help ..... $ grep libruby puppet.trace openat(AT_FDCWD, "/lib64/libruby.so.2.7", O_RDONLY|O_CLOEXEC) = 3 These are all shallow tests but it all seems to work.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0454.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED