Register | Log in

ruby2.7

Choose email to subscribe with

general

source: ruby2.7 (main)
version: 2.7.4-1+deb11u5
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Antonio Terceiro [DMD] – Utkarsh Gupta [DMD] – Lucas Kanashiro [DMD]
arch: all any
std-ver: 4.5.1
VCS: Git (Browse)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.7.4-1+deb11u1
o-o-sec: 2.7.4-1+deb11u5

versioned links

2.7.4-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.7.4-1+deb11u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libruby2.7 (1 bugs: 0, 1, 0, 0)
ruby2.7
ruby2.7-dev
ruby2.7-doc

package is gone

This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:04:48
Last run: 2022-08-11T01:22:43.000Z
Previous status: unknown

testing: fail (log)
The tests ran in 0:06:37
Last run: 2022-03-14T05:20:47.000Z
Previous status: unknown

stable: pass (log)
The tests ran in 0:06:54
Last run: 2023-05-26T15:21:59.000Z
Previous status: unknown

Created: 2022-03-04 Last update: 2026-06-29 20:32

14 security issues in bullseye high

There are 14 open security issues in bullseye.

10 important issues:

CVE-2026-27820: zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.
CVE-2026-41316: ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.
CVE-2026-42245: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
CVE-2026-42246: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
CVE-2026-42256: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
CVE-2026-42257: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
CVE-2026-42258: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
CVE-2026-47240: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. A server without support for non-synchronizing literals may interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed. This affects criteria for #search and #uid_search; search_keys for #sort, #thread, #uid_sort, and #uid_thread; and attr for #fetch and #uid_fetch. This vulnerability is fixed in 0.6.5 and 0.5.15.
CVE-2026-47241: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15.
CVE-2026-47242: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id is called with a hash argument, although the ID field value strings are correctly quoted (escaping quoted specials), they were not validated to prohibit CRLF sequences. While Net::IMAP#enable does process its arguments for aliases, it does not validate them as valid atoms (or as a list of valid atoms). The #to_s value is sent verbatim. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. This vulnerability is fixed in 0.6.5 and 0.5.15.

3 issues postponed or untriaged:

CVE-2025-24294: (postponed; to be fixed through a stable update) The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
CVE-2025-58767: (postponed; to be fixed through a stable update) REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.
CVE-2025-61594: (postponed; to be fixed through a stable update) URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

1 ignored issue:

CVE-2025-0306: A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service.

Created: 2026-04-17 Last update: 2026-06-29 14:00

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2022-28739: There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.

Created: 2022-07-04 Last update: 2022-08-01 13:40

news

[2025-03-09] Accepted ruby2.7 2.7.4-1+deb11u5 (source) into oldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-02-11] Accepted ruby2.7 2.7.4-1+deb11u4 (source) into oldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-01-17] Accepted ruby2.7 2.7.4-1+deb11u3 (source) into oldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-09-02] Accepted ruby2.7 2.7.4-1+deb11u2 (source) into oldstable-security (Sylvain Beucler)
[2022-08-15] Removed 2.7.5-1 from unstable (Debian FTP Masters)
[2022-03-17] ruby2.7 REMOVED from testing (Debian testing watch)
[2022-02-13] Accepted ruby2.7 2.7.4-1+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2022-02-03] Accepted ruby2.7 2.7.4-1+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2021-12-12] Accepted ruby2.7 2.7.5-1 (source) into unstable (Utkarsh Gupta)
[2021-07-19] ruby2.7 2.7.4-1 MIGRATED to testing (Debian testing watch)
[2021-07-08] Accepted ruby2.7 2.7.4-1 (source) into unstable (Utkarsh Gupta)
[2021-04-25] ruby2.7 2.7.3-2 MIGRATED to testing (Debian testing watch)
[2021-04-20] Accepted ruby2.7 2.7.3-2 (source) into unstable (Antonio Terceiro)
[2021-04-17] Accepted ruby2.7 2.7.3-1 (source) into unstable (Utkarsh Gupta)
[2021-02-08] ruby2.7 2.7.2-4 MIGRATED to testing (Debian testing watch)
[2021-02-08] ruby2.7 2.7.2-4 MIGRATED to testing (Debian testing watch)
[2021-02-02] Accepted ruby2.7 2.7.2-4 (source) into unstable (Lucas Kanashiro)
[2020-11-03] ruby2.7 2.7.2-3 MIGRATED to testing (Debian testing watch)
[2020-10-30] Accepted ruby2.7 2.7.2-3 (source) into unstable (Lucas Kanashiro)
[2020-10-19] ruby2.7 2.7.2-2 MIGRATED to testing (Debian testing watch)
[2020-10-13] Accepted ruby2.7 2.7.2-2 (source) into unstable (Utkarsh Gupta)
[2020-10-12] Accepted ruby2.7 2.7.2-1 (source) into unstable (Utkarsh Gupta)
[2020-10-05] ruby2.7 2.7.1-4 MIGRATED to testing (Debian testing watch)
[2020-10-01] Accepted ruby2.7 2.7.1-4 (source) into unstable (Utkarsh Gupta)
[2020-05-14] ruby2.7 2.7.1-3 MIGRATED to testing (Debian testing watch)
[2020-05-11] Accepted ruby2.7 2.7.1-3 (source) into unstable (Lucas Kanashiro)
[2020-05-08] Accepted ruby2.7 2.7.1-2 (source) into unstable (Lucas Kanashiro)
[2020-05-07] Accepted ruby2.7 2.7.1-1 (source) into unstable (Lucas Kanashiro)
[2020-05-07] ruby2.7 2.7.0-7 MIGRATED to testing (Debian testing watch)
[2020-05-04] Accepted ruby2.7 2.7.0-7 (source) into unstable (Lucas Kanashiro)

1
2

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
buildd: logs, cross
popcon
security tracker
debci

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing