Debian Package Tracker
Register | Log in
Subscribe

rubygems

Choose email to subscribe with

general
  • source: rubygems (main)
  • version: 3.3.15-2
  • maintainer: Debian Ruby Team (archive) (DMD)
  • uploaders: Lucas Kanashiro [DMD]
  • arch: all
  • std-ver: 4.6.1
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • oldstable: 3.2.5-2
  • stable: 3.3.15-2
  • testing: 3.3.15-2
  • unstable: 3.3.15-2
versioned links
  • 3.2.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.3.15-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • bundler
  • ruby-bundler
  • ruby-rubygems (1 bugs: 0, 0, 1, 0)
action needed
A new upstream version is available: 3.4.19 high
A new upstream version 3.4.19 is available, you should consider packaging it.
Created: 2023-01-01 Last update: 2023-09-21 12:39
1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:
  • CVE-2023-28755: A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
Created: 2023-06-11 Last update: 2023-09-02 21:37
1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:
  • CVE-2023-28755: A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
Created: 2023-04-02 Last update: 2023-09-02 21:37
1 bug tagged patch in the BTS normal
The BTS contains patches fixing 1 bug, consider including or untagging them.
Created: 2023-09-13 Last update: 2023-09-21 16:34
Multiarch hinter reports 1 issue(s) normal
There are issues with the multiarch metadata for this package.
  • ruby-bundler could have its dependency on ruby annotated with :any
Created: 2020-10-16 Last update: 2023-09-21 12:41
lintian reports 11 warnings normal
Lintian reports 11 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2023-01-01 Last update: 2023-02-17 23:05
3 low-priority security issues in bullseye low

There are 3 open security issues in bullseye.

2 issues left for the package maintainer to handle:
  • CVE-2021-43809: (needs triaging) `Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code.
  • CVE-2023-28755: (needs triaging) A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:
  • CVE-2020-36327: Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
Created: 2022-07-04 Last update: 2023-09-02 21:37
1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:
  • CVE-2023-28755: (needs triaging) A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2023-04-02 Last update: 2023-09-02 21:37
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.1).
Created: 2022-12-17 Last update: 2023-01-01 19:07
news
[rss feed]
  • [2023-01-03] rubygems 3.3.15-2 MIGRATED to testing (Debian testing watch)
  • [2023-01-01] Accepted rubygems 3.3.15-2 (source) into unstable (Lucas Nussbaum)
  • [2022-06-05] rubygems 3.3.15-1 MIGRATED to testing (Debian testing watch)
  • [2022-06-02] Accepted rubygems 3.3.15-1 (source) into unstable (Lucas Kanashiro)
  • [2022-01-31] rubygems 3.3.5-2 MIGRATED to testing (Debian testing watch)
  • [2022-01-28] Accepted rubygems 3.3.5-2 (source) into unstable (Antonio Terceiro)
  • [2022-01-21] Accepted rubygems 3.3.5-1 (source) into unstable (Lucas Kanashiro)
  • [2021-11-26] rubygems 3.2.27-3 MIGRATED to testing (Debian testing watch)
  • [2021-11-23] Accepted rubygems 3.2.27-3 (source) into unstable (Daniel Leidert)
  • [2021-10-20] rubygems 3.2.27-2 MIGRATED to testing (Debian testing watch)
  • [2021-10-17] Accepted rubygems 3.2.27-2 (source) into unstable (Antonio Terceiro)
  • [2021-09-27] rubygems 3.2.27-1 MIGRATED to testing (Debian testing watch)
  • [2021-09-24] Accepted rubygems 3.2.27-1 (source) into unstable (Lucas Kanashiro)
  • [2021-01-16] rubygems 3.2.5-2 MIGRATED to testing (Debian testing watch)
  • [2021-01-13] Accepted rubygems 3.2.5-2 (source) into unstable (Lucas Kanashiro)
  • [2021-01-13] Accepted rubygems 3.2.5-1 (source) into unstable (Lucas Kanashiro)
  • [2021-01-12] rubygems 3.2.4-1 MIGRATED to testing (Debian testing watch)
  • [2021-01-11] Accepted rubygems 3.2.4-2 (source) into unstable (Lucas Kanashiro)
  • [2021-01-10] rubygems 3.2.0~rc.2-6 MIGRATED to testing (Debian testing watch)
  • [2021-01-09] Accepted rubygems 3.2.4-1 (source) into unstable (Lucas Kanashiro)
  • [2021-01-07] Accepted rubygems 3.2.0~rc.2-6 (source) into unstable (Lucas Kanashiro)
  • [2020-12-10] rubygems 3.2.0~rc.2-5 MIGRATED to testing (Debian testing watch)
  • [2020-12-08] Accepted rubygems 3.2.0~rc.2-5 (source) into unstable (Lucas Kanashiro)
  • [2020-11-27] Accepted rubygems 3.2.0~rc.2-4 (source) into unstable (Lucas Kanashiro)
  • [2020-11-26] Accepted rubygems 3.2.0~rc.2-3 (source) into unstable (Lucas Kanashiro)
  • [2020-11-18] Accepted rubygems 3.2.0~rc.2-2 (source) into unstable (Lucas Kanashiro)
  • [2020-11-09] Accepted rubygems 3.2.0~rc.2-1 (source) into unstable (Lucas Kanashiro)
  • [2020-11-06] Accepted rubygems 3.2.0~rc.1-3 (source) into unstable (Lucas Kanashiro)
  • [2020-10-19] Accepted rubygems 3.2.0~rc.1-2 (source) into unstable (Lucas Kanashiro)
  • [2020-10-15] Accepted rubygems 3.2.0~rc.1-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Lucas Kanashiro)
  • 1
  • 2
bugs [bug history graph]
  • all: 12
  • RC: 0
  • I&N: 8
  • M&W: 4
  • F&P: 0
  • patch: 1
links
  • homepage
  • lintian (0, 11)
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 3.3.15-2
  • 8 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing