Debian Package Tracker
Register | Log in
Subscribe

rubygems

Choose email to subscribe with

general
  • source: rubygems (main)
  • version: 3.3.5-2
  • maintainer: Debian Ruby Team (archive) (DMD)
  • uploaders: Lucas Kanashiro [DMD]
  • arch: all
  • std-ver: 4.6.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • stable: 3.2.5-2
  • testing: 3.3.5-2
  • unstable: 3.3.5-2
versioned links
  • 3.2.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.3.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • bundler
  • ruby-bundler
  • ruby-rubygems (1 bugs: 0, 0, 1, 0)
action needed
Debci reports failed tests high
  • unstable: fail (log)
    The tests ran in 0:02:25
    Last run: 2022-05-17T06:37:12.000Z
    Previous status: fail

  • testing: fail (log)
    The tests ran in 0:03:12
    Last run: 2022-05-05T16:40:01.000Z
    Previous status: fail

  • stable: pass (log)
    The tests ran in 0:02:17
    Last run: 2022-05-03T07:20:47.000Z
    Previous status: pass

Created: 2022-03-16 Last update: 2022-05-23 04:14
A new upstream version is available: 3.3.14 high
A new upstream version 3.3.14 is available, you should consider packaging it.
Created: 2022-01-29 Last update: 2022-05-23 01:08
1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:
  • CVE-2020-36327: Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
Created: 2021-05-03 Last update: 2022-04-03 21:48
1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:
  • CVE-2020-36327: Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
Created: 2021-08-15 Last update: 2022-04-03 21:48
1 bug tagged patch in the BTS normal
The BTS contains patches fixing 1 bug, consider including or untagging them.
Created: 2021-08-14 Last update: 2022-05-23 04:04
Multiarch hinter reports 1 issue(s) normal
There are issues with the multiarch metadata for this package.
  • ruby-bundler could have its dependency on ruby annotated with :any
Created: 2020-10-16 Last update: 2022-05-23 01:11
Fails to build during reproducibility testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2022-03-27 Last update: 2022-05-23 01:09
lintian reports 11 warnings normal
Lintian reports 11 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2021-10-13 Last update: 2022-01-01 04:34
2 low-priority security issues in bullseye low

There are 2 open security issues in bullseye.

2 issues left for the package maintainer to handle:
  • CVE-2020-36327: (needs triaging) Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
  • CVE-2021-43809: (needs triaging) `Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-08-14 Last update: 2022-04-03 21:48
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).
Created: 2022-05-11 Last update: 2022-05-11 23:25
news
[rss feed]
  • [2022-01-31] rubygems 3.3.5-2 MIGRATED to testing (Debian testing watch)
  • [2022-01-28] Accepted rubygems 3.3.5-2 (source) into unstable (Antonio Terceiro)
  • [2022-01-21] Accepted rubygems 3.3.5-1 (source) into unstable (Lucas Kanashiro)
  • [2021-11-26] rubygems 3.2.27-3 MIGRATED to testing (Debian testing watch)
  • [2021-11-23] Accepted rubygems 3.2.27-3 (source) into unstable (Daniel Leidert)
  • [2021-10-20] rubygems 3.2.27-2 MIGRATED to testing (Debian testing watch)
  • [2021-10-17] Accepted rubygems 3.2.27-2 (source) into unstable (Antonio Terceiro)
  • [2021-09-27] rubygems 3.2.27-1 MIGRATED to testing (Debian testing watch)
  • [2021-09-24] Accepted rubygems 3.2.27-1 (source) into unstable (Lucas Kanashiro)
  • [2021-01-16] rubygems 3.2.5-2 MIGRATED to testing (Debian testing watch)
  • [2021-01-13] Accepted rubygems 3.2.5-2 (source) into unstable (Lucas Kanashiro)
  • [2021-01-13] Accepted rubygems 3.2.5-1 (source) into unstable (Lucas Kanashiro)
  • [2021-01-12] rubygems 3.2.4-1 MIGRATED to testing (Debian testing watch)
  • [2021-01-11] Accepted rubygems 3.2.4-2 (source) into unstable (Lucas Kanashiro)
  • [2021-01-10] rubygems 3.2.0~rc.2-6 MIGRATED to testing (Debian testing watch)
  • [2021-01-09] Accepted rubygems 3.2.4-1 (source) into unstable (Lucas Kanashiro)
  • [2021-01-07] Accepted rubygems 3.2.0~rc.2-6 (source) into unstable (Lucas Kanashiro)
  • [2020-12-10] rubygems 3.2.0~rc.2-5 MIGRATED to testing (Debian testing watch)
  • [2020-12-08] Accepted rubygems 3.2.0~rc.2-5 (source) into unstable (Lucas Kanashiro)
  • [2020-11-27] Accepted rubygems 3.2.0~rc.2-4 (source) into unstable (Lucas Kanashiro)
  • [2020-11-26] Accepted rubygems 3.2.0~rc.2-3 (source) into unstable (Lucas Kanashiro)
  • [2020-11-18] Accepted rubygems 3.2.0~rc.2-2 (source) into unstable (Lucas Kanashiro)
  • [2020-11-09] Accepted rubygems 3.2.0~rc.2-1 (source) into unstable (Lucas Kanashiro)
  • [2020-11-06] Accepted rubygems 3.2.0~rc.1-3 (source) into unstable (Lucas Kanashiro)
  • [2020-10-19] Accepted rubygems 3.2.0~rc.1-2 (source) into unstable (Lucas Kanashiro)
  • [2020-10-15] Accepted rubygems 3.2.0~rc.1-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Lucas Kanashiro)
  • [2018-03-31] Accepted rubygems 1.8.24-1+deb7u2 (source all) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
  • [2017-09-26] Accepted rubygems 1.8.24-1+deb7u1 (source all) into oldoldstable (Antoine Beaupré)
  • [2014-02-01] rubygems REMOVED from testing (Debian testing watch)
  • [2014-01-31] Bug#736762: Removed package(s) from unstable (Debian FTP Masters)
  • 1
  • 2
bugs [bug history graph]
  • all: 12
  • RC: 1
  • I&N: 7
  • M&W: 4
  • F&P: 0
  • patch: 1
links
  • homepage
  • lintian (0, 11)
  • buildd: logs, clang, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 3.3.5-2
  • 8 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing