Register | Log in

ruby-concurrent

Modern concurrency tools for Ruby

Choose email to subscribe with

general

source: ruby-concurrent (main)
version: 1.3.7-1
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Pirate Praveen [DMD] – Balasankar C [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.1.6+dfsg-3
oldstable: 1.1.6+dfsg-5
stable: 1.3.5-1
testing: 1.3.6-1
unstable: 1.3.7-1

versioned links

1.1.6+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.6+dfsg-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-concurrent
ruby-concurrent-ext

action needed

3 security issues in trixie high

There are 3 open security issues in trixie.

3 important issues:

CVE-2026-54904: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
CVE-2026-54905: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
CVE-2026-54906: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.

Created: 2026-06-25 Last update: 2026-06-25 07:00

3 security issues in forky high

There are 3 open security issues in forky.

3 important issues:

CVE-2026-54904: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
CVE-2026-54905: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
CVE-2026-54906: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.

Created: 2026-06-25 Last update: 2026-06-25 07:00

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2026-54904: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
CVE-2026-54905: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
CVE-2026-54906: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.

Created: 2026-06-25 Last update: 2026-06-25 07:00

3 security issues in bookworm high

There are 3 open security issues in bookworm.

3 important issues:

CVE-2026-54904: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value, new_value) succeeds; Numeric compare_and_set, which checks old == old_value before attempting the underlying atomic swap.; and Ruby NaN semantics, where Float::NAN == Float::NAN is always false. As a result, once an AtomicReference contains Float::NAN, calling #update repeatedly evaluates the caller's block and never returns. In services that store externally derived numeric values in an AtomicReference, this can cause CPU exhaustion or permanent request/job hangs. This vulnerability is fixed in 1.3.7.
CVE-2026-54905: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITE_LOCK_HELD. After 32,768 reentrant read acquisitions, the local read count crosses into the write-lock bit. try_write_lock then treats the thread as already holding a write lock and returns true without setting the global RUNNING_WRITER bit. This breaks the core mutual-exclusion guarantee: the caller is told it has a write lock, but other threads can still hold or acquire read locks at the same time. This vulnerability is fixed in 1.3.7.
CVE-2026-54906: concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still running. Concurrent::ReadWriteLock#release_read_lock also decrements the shared counter even when no read lock is held. Calling it on a fresh lock changes the counter from 0 to -1, after which normal read acquisition raises Concurrent::ResourceLimitError. This is a synchronization correctness issue in the public Concurrent::ReadWriteLock API. This vulnerability is fixed in 1.3.7.

Created: 2026-06-25 Last update: 2026-06-25 07:00

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-06-23 Last update: 2026-06-25 11:02

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-18 Last update: 2026-06-18 09:31

testing migrations

excuses:
- Migration status for ruby-concurrent (1.3.6-1 to 1.3.7-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for ruby-dry-container/0.7.2-2: s390x: Pass ♻
- ∙ ∙ Autopkgtest for ruby-peek-pg/1.3.0-3: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/r/ruby-concurrent.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 7 days old (needed 5 days)
- Not considered

news

[2026-06-17] Accepted ruby-concurrent 1.3.7-1 (source) into unstable (Simon Quigley)
[2026-04-03] ruby-concurrent 1.3.6-1 MIGRATED to testing (Debian testing watch)
[2026-02-09] Accepted ruby-concurrent 1.3.6-1 (source) into unstable (Simon Quigley)
[2025-04-01] ruby-concurrent 1.3.5-1 MIGRATED to testing (Debian testing watch)
[2025-03-14] Accepted ruby-concurrent 1.3.5-1 (source) into unstable (Hans-Christoph Steiner)
[2025-02-07] ruby-concurrent 1.3.4-1 MIGRATED to testing (Debian testing watch)
[2025-02-04] Accepted ruby-concurrent 1.3.4-1 (source) into unstable (Cédric Boutillier)
[2025-01-29] ruby-concurrent 1.3.4-1~exp1 MIGRATED to testing (Debian testing watch)
[2025-01-09] Accepted ruby-concurrent 1.3.4-1~exp1 (source) into unstable (Cédric Boutillier)
[2024-08-13] ruby-concurrent 1.2.3-4 MIGRATED to testing (Debian testing watch)
[2024-08-10] Accepted ruby-concurrent 1.2.3-4 (source) into unstable (Jérôme Charaoui)
[2024-08-10] Accepted ruby-concurrent 1.2.3-3 (source) into unstable (Jérôme Charaoui)
[2024-03-09] ruby-concurrent 1.2.3-2 MIGRATED to testing (Debian testing watch)
[2024-02-18] Accepted ruby-concurrent 1.2.3-2 (source) into unstable (Jérôme Charaoui)
[2024-02-13] Accepted ruby-concurrent 1.2.3-1 (source) into unstable (Jérôme Charaoui)
[2022-04-10] ruby-concurrent 1.1.6+dfsg-5 MIGRATED to testing (Debian testing watch)
[2022-04-07] Accepted ruby-concurrent 1.1.6+dfsg-5 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2022-01-25] ruby-concurrent 1.1.6+dfsg-4 MIGRATED to testing (Debian testing watch)
[2022-01-22] Accepted ruby-concurrent 1.1.6+dfsg-4 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-03-14] ruby-concurrent 1.1.6+dfsg-3 MIGRATED to testing (Debian testing watch)
[2020-02-28] Accepted ruby-concurrent 1.1.6+dfsg-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-02-27] Accepted ruby-concurrent 1.1.6+dfsg-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-02-25] Accepted ruby-concurrent 1.1.6+dfsg-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2019-12-27] ruby-concurrent 1.0.5-4 MIGRATED to testing (Debian testing watch)
[2019-12-24] Accepted ruby-concurrent 1.0.5-4 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2019-04-18] ruby-concurrent 1.0.5-3 MIGRATED to testing (Debian testing watch)
[2019-04-15] Accepted ruby-concurrent 1.0.5-3 (source) into unstable (Antonio Terceiro)
[2018-08-30] ruby-concurrent 1.0.5-2 MIGRATED to testing (Debian testing watch)
[2018-08-27] Accepted ruby-concurrent 1.0.5-2 (source) into unstable (Balint Reczey)
[2018-05-15] Accepted ruby-concurrent 1.0.5-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)

1
2

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 2)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.3.6-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing