[DRE-maint] Bug#1103926: bookworm-pu: package rubygems/3.3.15-2+deb12u1

Tue Apr 22 22:07:14 BST 2025

Package: release.debian.org
Control: affects -1 + src:rubygems
X-Debbugs-Cc: rubygems at packages.debian.org
User: release.debian.org at packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]
This includes a fix for CVE-2025-27221 and CVE-2023-28755.

[ Impact ]
Users systems will be vulnerable due to URI code vendored in rubygems.

[ Tests ]
The upstream tests were not included in those patches because the tests
in vendor code are not executed. However, this was well tested upstream
and I also did some manual testing to make sure the URI code is now
fixes.

[ Risks ]
The code changed is not too complex, I do not foresee a big risk of a
regression TBH.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backported upstream fixes for the 2 CVEs mentioned and nothing else.

[ Other info ]
The security team asked me to push those changes via proposed-updates.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rubygems.debdiff
Type: text/x-patch
Size: 10498 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20250422/631092a5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20250422/631092a5/attachment.sig>