UbuntuUpdates.org

Package "ruby2.5"

Name: ruby2.5

Description:

Interpreter of object-oriented scripting language Ruby
Latest version: 2.5.1-1ubuntu1.16
Release: bionic (18.04)
Level: security
Repository: main
Homepage: http://www.ruby-lang.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "ruby2.5"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "ruby2.5" in Bionic

Repository Area Version
base main 2.5.1-1ubuntu1
updates main 2.5.1-1ubuntu1.16
PPA: Brightbox Ruby NG Experimental 2.5.8-1bbox1~bionic1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.5.1-1ubuntu1.16 2023-05-18 12:07:36 UTC

  ruby2.5 (2.5.1-1ubuntu1.16) bionic-security; urgency=medium

  * SECURITY UPDATE: ReDoS
    - debian/patches/CVE-2023-28755.patch: adds '+' once or more in specific
      places of the RFC3986 regex in order to avoid the increase in execution
      time for parsing strings to URI objects in lib/uri/rfc3986_parser.rb.
    - CVE-2023-28755

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 15 May 2023 08:41:43 -0300
Source diff to previous version
CVE-2023-28755 A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific cha

Version: 2.5.1-1ubuntu1.15 2023-05-05 14:07:07 UTC

  ruby2.5 (2.5.1-1ubuntu1.15) bionic-security; urgency=medium

  * SECURITY REGRESSION: URI.parse returning empty when it should return nil
    - reverting/removing patches for CVE-2023-28755-*.patch that changed the
      regex behaviour causing URI.parse to return '' instead previous
      behaviour nil as some applications expected to use the last one as
      return (LP: #2018547)

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 05 May 2023 06:09:43 -0300
Source diff to previous version
2018547 puppet can no longer find puppet:// resources after ruby2.7 CVE Update
CVE-2023-28755 A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific cha

Version: 2.5.1-1ubuntu1.14 2023-05-04 09:07:11 UTC

  ruby2.5 (2.5.1-1ubuntu1.14) bionic-security; urgency=medium

  * SECURITY UPDATE: ReDoS
    - debian/patches/CVE-2023-28755-*.patch: URI.parse should set empty
      string in host instead of nil in lib/uri/rfc3986_parser.rb.
    - debian/patches/tz_fix.patch: fix timezone test for Lisbon in
      test/ruby/test_time_tz.rb.
    - debian/patches/certs_up_fix.patch: update certificate file to
      make test pass in test/rubygems/ca_cert.pem, test/rubygems/client.pem,
      test/rubygems/ssl_cert.pem, test/rubygems/ss_key.pem,
      test/rubygems/test_gem_security_policy.rb.
    - CVE-2023-28755
  * SECURITY UPDATE: ReDos
    - debian/patches/CVE-2023-28756-*.patch: fix quadratic backtracking on
      invalid time and make RFC2822 regexp linear in lib/time.rb.
    - CVE-2023-28756

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 10 Apr 2023 14:06:44 -0300
Source diff to previous version
CVE-2023-28755 A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific cha
CVE-2023-28756 A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific ch

Version: 2.5.1-1ubuntu1.13 2023-01-23 17:08:44 UTC

  ruby2.5 (2.5.1-1ubuntu1.13) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP response splitting
    - debian/patches/CVE-2021-33621*.patch: adds regex to lib/cgi/core.rb and
      lib/cgi/cookie.rb along with tests to check http response headers and
      cookie fields for invalid characters.
    - debian/patches/fix_tzdata-2022.patch: fix for tzdata-2022g tests
      in test/ruby/test_time_tz.rb.
    - CVE-2021-33621

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 18 Jan 2023 09:55:17 -0300
Source diff to previous version
CVE-2021-33621 The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that

Version: 2.5.1-1ubuntu1.12 2022-06-06 20:06:18 UTC

  ruby2.5 (2.5.1-1ubuntu1.12) bionic-security; urgency=medium

  * SECURITY UPDATE: Buffer over-read
    - debian/patches/CVE-2022-28739.patch: fix dtoa buffer
      overrun in missing/dtoa.c, test/ruby/test_float.rb.
    - CVE-2022-28739

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 24 May 2022 11:47:40 -0300
CVE-2022-28739 RESERVED


About   -   Send Feedback to @ubuntu_updates