Ruby 2.5.3/2.4.5/2.3.8 packages to address CVEs

[pe...@valimail.com]

There were a number of security releases for Ruby last week - 2.5.3, 2.4.5, 2.3.8.

These address the following CVEs:

• CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives
• CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly

Do you know when there will be updated Brightbox packages for these Ruby versions?  Especially 2.5.3?

Thanks.

Best,

Peter

[John Leach]

Packages for 2.5.3, 2.4.5 and 2.3.8 are now available in ruby-ng-
experimental. They've passed all our local install tests and we'll be
copying them over to ruby-ng soon, but any other testing feedback in
the mean time is appreciated.

Also, I fixed the bionic builds, so they're available for testing too.
I've more thorough testing to do with them though, as there was some
previous issues with the newer gcc in bionic. Again, any feedback would
be great. Run your test suites with it :)

Backports to <= 2.2 in progress.

John.
--
https://www.brightbox.com

On Sun, 2018-10-21 at 19:41 -0700, peter via Brightbox Ruby Ubuntu

[bra...@volunteerhq.org]

Hi John,

Any update on when these versions will be available?

Thanks,

Brandon

[barn...@gmail.com]

On Wednesday, 24 October 2018 12:29:41 UTC+1, John Leach wrote:
> Packages for 2.5.3, 2.4.5 and 2.3.8 are now available in ruby-ng-
> experimental. They've passed all our local install tests and we'll be
> copying them over to ruby-ng soon, but any other testing feedback in
> the mean time is appreciated.

Hi, do you have an idea when these will make it to ruby-ng?

Thanks very much for maintaining the repo!

Barnaby

[min...@gmail.com]

Is there an ETA on when the 2.5.3 packages will make it into the non-experimental PPA?

[sacro...@gmail.com]

Hi John,

any ETA on when packages will be copied to ruby-ng?

Thanks,
Cristian

[John Leach]

Hi all,

All these are now copied over to ruby-ng, Bionic included.

<= 2.2 still in progress.

John.