[Git][security-tracker-team/security-tracker][master] Reserve DLA-4163-1 for rubygems

Mon May 12 22:03:11 BST 2025


Lucas Kanashiro pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fa15b40b by Lucas Kanashiro at 2025-05-12T18:03:01-03:00
Reserve DLA-4163-1 for rubygems

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -188057,7 +188057,6 @@ CVE-2023-28755 (A ReDoS issue was discovered in the URI component through 0.12.0
 	{DLA-3858-1 DLA-3447-1 DLA-3408-1}
 	- rubygems 3.4.20-1
 	[bookworm] - rubygems <no-dsa> (Minor issue)
-	[bullseye] - rubygems <no-dsa> (Minor issue)
 	- ruby3.1 <removed> (bug #1038408)
 	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
@@ -297515,7 +297514,6 @@ CVE-2021-43810 (Admidio is a free open source user management system for website
 	NOT-FOR-US: Admidio
 CVE-2021-43809 (`Bundler` is a package for managing application dependencies in Ruby.  ...)
 	- rubygems 3.3.5-1
-	[bullseye] - rubygems <no-dsa> (Minor issue)
 	NOTE: https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43
 	NOTE: https://github.com/rubygems/rubygems/commit/90b1ed8b9f8b636aa8c913f7b5a764a2e03d179c (v3.3.0)
 	NOTE: https://github.com/rubygems/rubygems/pull/5142


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[12 May 2025] DLA-4163-1 rubygems - security update
+	{CVE-2021-43809 CVE-2023-28755 CVE-2025-27221}
+	[bullseye] - rubygems 3.2.5-2+deb11u1
 [12 May 2025] DLA-4162-1 redis - security update
 	{CVE-2025-21605}
 	[bullseye] - redis 5:6.0.16-1+deb11u6


=====================================
data/dla-needed.txt
=====================================
@@ -353,15 +353,6 @@ rails
 ruby-graphql
   NOTE: 20250422: Added by Front-Desk (rouca)
 --
-rubygems
-  NOTE: 20250304: Added by Front-Desk (rouca)
-  NOTE: 20250324: Need to update rubygems in sid to fix CVE-2025-27221.
-  NOTE: 20250324: Asked most recent uploader about this.  (spwhitton)
-  NOTE: 20250407: CVE-2025-27221 is already fixed in src:rubygems/sid,trixie. (kanashiro)
-  NOTE: 20250407: It needs to be fixed in src:ruby3.3 (there are 3 copies of the uri gem, affected by this CVE). (kanashiro)
-  NOTE: 20250423: Fix in src:rubygems sent to bookworm-p-u (#1103926)
-  NOTE: 20250423: Fix for bullseye also staged in the git repo, will be uploaded once RM approves the package in bookworm-p-u (kanashiro)
---
 snapcast
   NOTE: 20250118: Added by Front-Desk (rouca)
   NOTE: 20250119: Upstream just re-added a secured Stream.AddStream functionality to fix CVE-2023-36177, but hasn't released it yet (dleidert)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa15b40b767e349aa7dd04912c85ed0fcebf230f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa15b40b767e349aa7dd04912c85ed0fcebf230f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250512/78f7463e/attachment-0001.htm>
