rubygems (3.2.5-2+deb11u1) bullseye-security; urgency=medium * Fix CVE-2025-27221. The URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. - d/p/CVE-2025-27221_*.patch * Fix CVE-2023-28755. A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. - d/p/CVE-2023-28755.patch * Fix CVE-2021-43809. In bundler versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. - d/p/CVE-2021-43809.patch * d/t/control: add libyaml-dev to Depends of testsuite. Fix autopkgtest failure. -- Lucas Kanashiro Wed, 23 Apr 2025 15:49:41 -0300 rubygems (3.2.5-2) unstable; urgency=medium [ Antonio Terceiro ] * Skip tests that fail if Gem.disable_system_update_message is set -- Lucas Kanashiro Wed, 13 Jan 2021 16:45:32 -0300 rubygems (3.2.5-1) unstable; urgency=medium * New upstream release. -- Lucas Kanashiro Tue, 12 Jan 2021 09:31:00 -0300 rubygems (3.2.4-2) unstable; urgency=medium * d/p/0003-Gem-Ext-Builder-accept-custom-make-command-with-extr.patch: make extension builder accept custom make command. * d/ruby-tests.skip: re-enable some tests and skip new ones. The new patch applied makes some tests pass again but there still are some escape issues. -- Lucas Kanashiro Mon, 11 Jan 2021 17:23:29 -0300 rubygems (3.2.4-1) unstable; urgency=medium * New upstream release. * d/ruby-tests.skip: add the failing tests related to native extensions. There is an issue on how those tests are set up to build native extensions, needs further investigation. * d/ruby-bundler.manpages: update path of the manpages changed by upstream. * Declare compliance with Debian Policy 4.5.1. -- Lucas Kanashiro Fri, 08 Jan 2021 17:49:46 -0300 rubygems (3.2.0~rc.2-6) unstable; urgency=medium * debian/control: fix installability issue on i386. - Make ruby-rubygems depend on ruby:any. - Mark ruby-rubygems as Multi-Arch: foreign. -- Lucas Kanashiro Thu, 07 Jan 2021 09:26:56 -0300 rubygems (3.2.0~rc.2-5) unstable; urgency=medium * d/t/autopkgtest-pkg-ruby.conf: add dependency on build-essential. The DEP-8 test generated by autodep8 requires build-essential to build a native gem. -- Lucas Kanashiro Mon, 07 Dec 2020 18:46:19 -0300 rubygems (3.2.0~rc.2-4) unstable; urgency=medium * d/t/testsuite: do not create a predictable tmp dir, it might exist already. * d/ruby-tests.rake: set the test dir when executed with autopkgtest. * d/ruby-tests.skip: add tests failing with autopkgtest. Those are harmless tests, they fail due to rubygems-integration changes. * d/t/control: - Split the tests in different paragraphs. We can have a tighter definition of restrictions and dependencies for each test. - Add needs-internet restriction to testsuite. - Make testsuite build depend on build dependencies. * d/control: - Add b-d on ruby-dev. - Remove unneeded build and runtime dependencies. They are ruby-molinillo, ruby-thor, ruby-net-http-persistent. They are shipped as vendor code. -- Lucas Kanashiro Fri, 27 Nov 2020 15:11:02 -0300 rubygems (3.2.0~rc.2-3) unstable; urgency=medium * Remove d/p/0001-Replace-bundled-libraries-with-system-versions.patch. bundler has some custom code on top of the bundled libraries which is needed to make it work properly. Due to that is not possible to use external code at the moment. * d/t/testsuite: properly set local path according to bundler 2. The --path option in the bundle call is deprecated. -- Lucas Kanashiro Thu, 26 Nov 2020 11:14:41 -0300 rubygems (3.2.0~rc.2-2) unstable; urgency=medium * Skip tests which require Internet connection (Closes: #974102) -- Lucas Kanashiro Wed, 18 Nov 2020 15:07:01 -0300 rubygems (3.2.0~rc.2-1) unstable; urgency=medium * Update Net::HTTP::Persistent path in the patch to use the system version. * New upstream version 3.2.0~rc.2 -- Lucas Kanashiro Mon, 09 Nov 2020 10:32:00 -0300 rubygems (3.2.0~rc.1-3) unstable; urgency=medium * d/p/0001-Replace-bundled-libraries-with-system-versions.patch: make bundler use libraries from the system. * Add b-d on ruby-molinillo and ruby-thor. * Add patches to make bundler better handle temporary directories: - d/p/0002-Don-t-use-insecure-temporary-directory-as-home-direc.patch - d/p/0003-Remove-temporary-home-directories.patch * Add debian revision to bundler version string (Closes: #972490) -- Lucas Kanashiro Thu, 05 Nov 2020 16:09:55 -0300 rubygems (3.2.0~rc.1-2) unstable; urgency=medium [ Cédric Boutillier ] * Update team name * Add .gitattributes to keep unwanted files out of the source package -- Lucas Kanashiro Sun, 18 Oct 2020 23:41:21 -0300 rubygems (3.2.0~rc.1-1) unstable; urgency=medium * Initial release. - Upstream bundler source code is now hosted in the same git repository as rubygems, due to that this new source package is introduced and it will provide the binaries previously provided by src:bundler (ruby-bundler and bundler). src:bundler will be removed after src:rubygems is accepted. -- Lucas Kanashiro Fri, 17 Jul 2020 16:11:02 -0300