[DRE-maint] Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload
Moritz Muehlenhoff
jmm at inutil.org
Wed Jun 7 10:09:07 BST 2023
On Wed, Jun 07, 2023 at 01:43:26PM +0530, Utkarsh Gupta wrote:
> Hi Chris,
>
> On Wed, Jun 7, 2023 at 12:56 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
> > Can you please have a look, as this seems to be caused by the DLA
> > issued as DLA-3447-1.
>
> This has been caused by the ruby2.5 update.
It's definitely related to the fix for CVE-2023-28755, reverting that patch
unbreaks Puppet. I'd recommend to go ahead with a revert for now.
> Can you please TAL? This
> is perhaps because of the URI version in buster v/s URI version
> upstream. The upstream patch was supposed to be for 3.2 and was not
> 2.5 compliant. Let me know if you'd like me to help.
Specifically https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
states:
| For Ruby 2.7: Update to uri 0.10.0.1
| For Ruby 3.0: Update to uri 0.10.2
| For Ruby 3.1: Update to uri 0.11.1
| For Ruby 3.2: Update to uri 0.12.1
And the 0.10 change (https://github.com/ruby/uri/commit/17861a53e499a2eabf7ba83d63914d0f01921d70)
is different from the 0.12 one (https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175)
There might be other changes needed for 2.5, not sure.
Cheers,
Moritz
More information about the Pkg-ruby-extras-maintainers
mailing list