ruby: update to 3.3.5 to resolve CVE-2024-39908

Also remove CVE-2024-41946.patch as it no longer applies as ruby 3.3.5 containers rubygem-rexml 3.3.6, where CVE-2024-41946 is already fixed Signed-off-by: Saul Paredes <[email protected]>
microsoft · Nov 9, 2024 · 4e28408 · 4e28408
1 parent 30d1349
commit 4e28408
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 117 deletions.
diff --git a/SPECS/ruby/CVE-2024-41946.patch b/SPECS/ruby/CVE-2024-41946.patch
diff --git a/SPECS/ruby/ruby.signatures.json b/SPECS/ruby/ruby.signatures.json
@@ -7,6 +7,6 @@
     "rubygems.con": "eb804c6b50eeafdb2172285265bc487a80acaa9846233cd5f1d20a25f1dac2ea",
     "rubygems.prov": "b79c1f5873dd20d251e100b276a5e584c1fb677f3e1b92534fc09130fabe8ee5",
     "rubygems.req": "e85681d8fa45d214055f3b26a8c1829b3a4bd67b26a5ef3c1f6426e7eff83ad0",
-    "ruby-3.3.3.tar.gz": "83c05b2177ee9c335b631b29b8c077b4770166d02fa527f3a9f6a40d13f3cce2"
+    "ruby-3.3.5.tar.gz": "3781a3504222c2f26cb4b9eb9c1a12dbf4944d366ce24a9ff8cf99ecbce75196"
   }
 }
diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec
@@ -4,7 +4,7 @@
 %global gem_dir %{_datadir}/ruby/gems
 
 # Default package version defined separately, because the %%version macro gets overwritten by 'Version' tags of the subpackages.
-%global ruby_version            3.3.3
+%global ruby_version            3.3.5
 %define ruby_version_majmin     %(echo %{ruby_version} | cut -d. -f1-2)
 
 %global rubygems_version        3.5.3
@@ -88,7 +88,7 @@ Name:           ruby
 # provides should be versioned according to the ruby version.
 # More info: https://stdgems.org/
 Version:        %{ruby_version}
-Release:        2%{?dist}
+Release:        1%{?dist}
 License:        (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -102,7 +102,6 @@ Source4:        rubygems.con
 Source5:        rubygems.prov
 Source6:        rubygems.req
 Source7:        macros.rubygems
-Patch0:         CVE-2024-41946.patch
 # Updates default ruby-uri to 0.12.2 and vendored one to 0.10.3. Remove once ruby gets updated to a version that comes with both lib/uri/version.rb and lib/bundler/vendor/uri/lib/uri/version.rb versions >= 0.12.2 or == 0.10.3
 BuildRequires:  openssl-devel
 # Pkgconfig(yaml-0.1) is needed to build the 'psych' gem.
@@ -408,6 +407,10 @@ sudo -u test make test TESTS="-v"
 %{_rpmconfigdir}/rubygems.con
 
 %changelog
+* Fri Nov 08 2024 Saul Paredes <[email protected]> - 3.3.5-1
+- Upgrade ruby to 3.3.5 to resolve CVE-2024-39908
+- Remove CVE-2024-41946.patch as it no longer applies as ruby 3.3.5 containers rubygem-rexml 3.3.6, where CVE-2024-41946 is already fixed
+
 * Wed Sep 18 2024 Harshit Gupta <[email protected]> - 3.3.3-2
 - Revert ruby back to 3.3.3 to avoid build failure of rubygems-* packages
 - Add patch for CVE-2024-41946 for bundled gem rexml

diff --git a/cgmanifest.json b/cgmanifest.json
@@ -25894,8 +25894,8 @@
         "type": "other",
         "other": {
           "name": "ruby",
-          "version": "3.3.3",
-          "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.3.tar.gz"
+          "version": "3.3.5",
+          "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.5.tar.gz"
         }
       }
     },