mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-07 09:16:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,259 Commits 38 Branches 617 Tags
ae2d52758fc2fcb0ed996aa234430464ebf4b310
Commit Graph

4 Commits

Author SHA1 Message Date
Divya Chellam
7ad1d26688 ruby: fix CVE-2025-27221 
In the URI gem before 1.0.3 for Ruby, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained even
after changing the host.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-27221

Upstream-patches:
3675494839
2789182478

(From OE-Core rev: 421d7011269f4750f5942b815d68f77fa4559d69)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2025-06-02 07:12:34 -07:00
Divya Chellam
ba85fa8c93 ruby: fix CVE-2025-27220 
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial
of Service (ReDoS) vulnerability exists in the Util#escapeElement method.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-27220

Upstream-patch:
cd1eb08076

(From OE-Core rev: 8c31f8e142894f103409ee10deccc22fdeea897c)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2025-04-01 09:08:42 -07:00
Ashish Sharma
1c48e482e2 ruby: Fix CVE-2025-27219 
Upstream-Status: Backport from [9907b76dad]

(From OE-Core rev: 7e0a96b5c0b7a5ca593df83861086d0980ea72e9)

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2025-03-15 06:40:07 -07:00
Yogita Urade
0402f54b66 ruby: upgrade 3.2.2 -> 3.3.5 
Includes fix for CVE-2024-41123 & CVE-2024-41946

Release notes:
https://github.com/ruby/ruby/releases/tag/v3_3_5

Rebase:
0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch
0006-Make-gemspecs-reproducible.patch

Drop:
0001-fiddle-Use-C11-_Alignof-to-define-ALIGN_OF-when-poss.patch
0002-Obey-LDFLAGS-for-the-link-of-libruby.patch
CVE-2023-36617_1.patch
CVE-2023-36617_2.patch
CVE-2024-27281.patch
CVE-2024-27282.patch
(merged upstream)

0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch
0002-template-Makefile.in-filter-out-f-prefix-map.patch
remove_has_include_macros.patch
(code rewritten upstream)

License-Update: Updated LEGAL section

(From OE-Core rev: 69ffe5bc09260918fb32bfcb29586dcaa1958a5c)

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2024-10-18 06:04:40 -07:00