-
Notifications
You must be signed in to change notification settings - Fork 549
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ruby: update to 3.3.5 to resolve CVE-2024-39908 and CVE-2024-49761 #10988
base: fasttrack/3.0
Are you sure you want to change the base?
ruby: update to 3.3.5 to resolve CVE-2024-39908 and CVE-2024-49761 #10988
Conversation
44f08f1
to
4e28408
Compare
4e28408
to
2f89dc3
Compare
2f89dc3
to
dda7f8f
Compare
dda7f8f
to
26b279c
Compare
I'm not sure how it failed fast track github PR check to build, but built correctly in https://dev.azure.com/mariner-org/mariner/_build/results?buildId=674310&view=results edit: realized I need to update some rubygem versions, per https://github.com/microsoft/azurelinux/pull/10400/files#diff-4edf04c433f280e43572ad4bc157e9849973a07d14a9dd85e949090f03386010 |
26b279c
to
ff19fcd
Compare
Also remove CVE-2024-41946.patch as it no longer applies as ruby 3.3.5 containers rubygem-rexml 3.3.6, where CVE-2024-41946 is already fixed Signed-off-by: Saul Paredes <[email protected]>
Patch adapted from ruby/rexml@ce59f2e which fixes CVE-2024-49761 per https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Needed for rubygem-rexml versions < 3.3.9 Signed-off-by: Saul Paredes <[email protected]>
f261bc6
to
3ac5416
Compare
Fixes all rubygem build failures. Test failures are no regressions by comparing against https://dev.azure.com/mariner-org/mariner/_build?definitionId=1489 |
%{_bindir}/fluent-gem.lock | ||
%{_bindir}/fluent-plugin-config-format.lock | ||
%{_bindir}/fluent-plugin-generate.lock | ||
%{_bindir}/fluentd.lock |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we want to package the .lock file's? Is that what other distributions have done?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right. Updated by taking patches from https://src.fedoraproject.org/rpms/ruby/c/b7e197fb887200e4faaf8fae663a9df00bdc09d3?branch=rawhide
9a684c7
to
02b8c42
Compare
02b8c42
to
cf05317
Compare
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./LICENSES-AND-NOTICES/SPECS/data/licenses.json
,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
What does the PR accomplish, why was it needed?
Upgrade ruby to 3.3.5 to resolve CVE-2024-39908. ruby 3.3.5 contains rubygem-xml version > 3.3.2, which is not affected by CVE-2024-39908 .
Also:
ruby: patch GHSA-2rxp-v6pw-ch6m
rubygem-rexml: patch GHSA-2rxp-v6pw-ch6m
Change Log
Does this affect the toolchain?
NO
Links to CVEs
Test Methodology