summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/ruby/ruby_3.1.3.bb
Commit message (Collapse)AuthorAgeFilesLines
* ruby: fix CVE-2024-41123Divya Chellam2025-12-011-0/+5
| | | | | | | | | | | | | | | | | | | | | | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41123 Upstream-patches: https://github.com/ruby/rexml/commit/2c39c91a65d69357cfbc35dd8079b3606d86bb70 https://github.com/ruby/rexml/commit/4444a04ece4c02a7bd51e8c75623f22dc12d882b https://github.com/ruby/rexml/commit/ebc3e85bfa2796fb4922c1932760bec8390ff87c https://github.com/ruby/rexml/commit/6cac15d45864c8d70904baa5cbfcc97181000960 https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6 (From OE-Core rev: 6b2a2e689a69deef6098f6c266542234e46fb24b) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-39908Divya Chellam2025-12-011-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings. Reference: https://security-tracker.debian.org/tracker/CVE-2024-39908 Upstream-patches: https://github.com/ruby/rexml/commit/f1df7d13b3e57a5e059273d2f0870163c08d7420 https://github.com/ruby/rexml/commit/d146162e9a61574499d10428bc0065754cd26601 https://github.com/ruby/rexml/commit/b5bf109a599ea733663150e99c09eb44046b41dd https://github.com/ruby/rexml/commit/b8a5f4cd5c8fe29c65d7a00e67170223d9d2b50e https://github.com/ruby/rexml/commit/0af55fa49d4c9369f90f239a9571edab800ed36e https://github.com/ruby/rexml/commit/c1b64c174ec2e8ca2174c51332670e3be30c865f https://github.com/ruby/rexml/commit/9f1415a2616c77cad44a176eee90e8457b4774b6 https://github.com/ruby/rexml/commit/c33ea498102be65082940e8b7d6d31cb2c6e6ee2 https://github.com/ruby/rexml/commit/a79ac8b4b42a9efabe33a0be31bd82d33fd50347 https://github.com/ruby/rexml/commit/67efb5951ed09dbb575c375b130a1e469f437d1f https://github.com/ruby/rexml/commit/1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2 https://github.com/ruby/rexml/commit/910e5a2b487cb5a30989884a39f9cad2cc499cfc (From OE-Core rev: 6e0b70843422cd7cdb25a9e1520dd64bf701fea6) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-35176Divya Chellam2025-12-011-0/+1
| | | | | | | | | | | | | | | | | | | | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-35176 Upstream-patch: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (From OE-Core rev: a89fcaf0c3ac2afd95e836bc1356832296135696) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: correct fix for CVE-2024-43398Rob Woolley2025-07-301-1/+3
| | | | | | | | | | | | | | | | | | | The previous fix for CVE-2024-43398 did not include patches to provide context for the changes it made. This caused an exception at run-time when ruby parsed rexml/parsers/baseparser.rb. This was first observed when using ruby-native to build the sdformat recipe. With these additional backports, the sdformat build proceeds successfully. The REXML library was also tested manually on-target with a script that used REXML::Document.new file to parse an XML file. (From OE-Core rev: 6bf00fde2d4043c6b558733a33041ce5694342d3) Signed-off-by: Rob Woolley <rob.woolley@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2025-27221Divya Chellam2025-05-281-0/+2
| | | | | | | | | | | | | | | | | | | In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. Reference: https://security-tracker.debian.org/tracker/CVE-2025-27221 Upstream-patches: https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495 https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5 (From OE-Core rev: c77ff1288719d90ef257dfe28cb33b3768fc124a) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-43398Divya Chellam2025-04-181-0/+1
| | | | | | | | | | | | | | | | | | | | | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability. Reference: https://security-tracker.debian.org/tracker/CVE-2024-43398 Upstream-patch: https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3 (From OE-Core rev: f23d1bfca0ea57150c397bc2e495191fb61423d0) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: Fix CVE-2025-27219Ashish Sharma2025-03-191-0/+1
| | | | | | | | | Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab] (From OE-Core rev: 31d67739490ec2abf92328b3f0ceff22ce5d4974) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: Fix CVE-2025-27220Hitendra Prajapati2025-03-131-0/+1
| | | | | | | | | Upstream-Status: Backport from https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6 (From OE-Core rev: 44665939783cb2b32f5ade1772e0ceef47f9a853) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-41946Divya Chellam2025-02-241-0/+1
| | | | | | | | | | | | | | | | | | REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41946 Upstream-patch: https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368 (From OE-Core rev: b0e74fd8922bba8e954a223ec46de5c33d2ff743) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-49761Divya Chellam2025-01-181-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x.... This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability. CVE-2024-49761-0009.patch is the CVE fix and rest are dependent commits. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Upstream-patch: https://github.com/ruby/rexml/commit/810d2285235d5501a0a124f300832e6e9515da3c https://github.com/ruby/rexml/commit/83ca5c4b0f76cf7b307dd1be1dc934e1e8199863 https://github.com/ruby/rexml/commit/51217dbcc64ecc34aa70f126b103bedf07e153fc https://github.com/ruby/rexml/commit/7e4049f6a68c99c4efec2df117057ee080680c9f https://github.com/ruby/rexml/commit/fc6cad570b849692a28f26a963ceb58edc282bbc https://github.com/ruby/rexml/commit/77128555476cb0db798e2912fb3a07d6411dc320 https://github.com/ruby/rexml/commit/370666e314816b57ecd5878e757224c3b6bc93f5 https://github.com/ruby/rexml/commit/a579730f25ec7443796495541ec57c071b91805d https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f (From OE-Core rev: 5b453400e9dd878b81b1447d14b3f518809de17e) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: Make docs generation deterministicRichard Purdie2024-09-161-0/+1
| | | | | | | | | | | The presence or lack of nroff on the host was changing the doc type. Set it explicitly to be deterministic and reproducible. (From OE-Core rev: dd857d2519fd4f38c67a6fa0087f72798166467a) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f5053abb8957acf358b518ee3c76146dc5f4eb6c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: backport fix for CVE-2024-27282Ashish Sharma2024-07-241-0/+1
| | | | | | | | Upstream-Status: Backport [https://github.com/ruby/ruby/commit/989a2355808a63fc45367785c82ffd46d18c900a] (From OE-Core rev: 94a0350058e51c4b05bf5d4e02d048c2e6256725) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-27280Yogita Urade2024-06-261-0/+1
| | | | | | | | | | | | | | | | | | | A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-27280 (From OE-Core rev: 729310d17310dff955c51811ff3339fdbc017b95) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-27281Yogita Urade2024-04-211-0/+1
| | | | | | | | | | | | | ruby: RCE vulnerability with .rdoc_options in RDoc References: https://github.com/ruby/ruby/pull/10316 https://security-tracker.debian.org/tracker/CVE-2024-27281 (From OE-Core rev: d01b73c51ceead4911a9a9306dbe728f1db2e029) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2023-36617Meenali Gupta2023-09-301-0/+2
| | | | | | | | | Backport two patches [1] [2] to fix CVE-2023-36617 (From OE-Core rev: 7a40082e4e080eaf5f88bd24f7169b7731028529) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: Fix CVE-2023-28755Mingli Yu2023-05-031-0/+1
| | | | | | | | | | | Backport patch [1] to fix CVE-2023-28755. [1] https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300 (From OE-Core rev: 605634cf1adef2d9cf6dc6fdf17aa4032385497f) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: CVE-2023-28756 ReDoS vulnerability in TimeHitendra Prajapati2023-04-261-0/+1
| | | | | | | | | Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e (From OE-Core rev: 0f8eb0505e19ccd27e1b91f27285a9fc87f2aa93) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: update 3.1.2 -> 3.1.3Alexander Kanavin2023-01-061-0/+142
(From OE-Core rev: 3e43f3925bce640999a25ceb855a77d8cd0afd26) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 402254a5f841520b132508c21465111d33b6eb1a) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>