- Fix command injection vulnerability in RDoc.
Resolves: CVE-2021-31799
- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
Resolves: CVE-2021-31810
- Fix StartTLS stripping vulnerability in Net::IMAP.
Resolves: CVE-2021-32066
- Fix dependencies of gems with explicit source installed from a different
source.
Resolves: CVE-2020-36327
The FTBFS has started to happen with rpm-4.16.90-0.git15395.2.fc35.
root.log
```
DEBUG util.py:444: error: line 116: Unknown tag: /chroot_tmpdir/srpm_unpacked/SOURCES/macros.ruby
```
As the `%{?load:...}` is undocumented, it is gone.
https://github.com/rpm-software-management/rpm/issues/1669
Symlinks to StdLib provided to preserve `--disable-gems` functionality
together with `require_relative` cause double loading issues [1], e.g.:
~~~
$ ruby --disable-gems -e 'require "openssl"; require "openssl/digest"'
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::MD4
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of MD4 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::MD5
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of MD5 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::RIPEMD160
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of RIPEMD160 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA1
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA1 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA224
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA224 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA256
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA256 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA384
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA384 was here
/usr/share/ruby/openssl/digest.rb:45: warning: already initialized constant OpenSSL::Digest::SHA512
/usr/share/gems/gems/openssl-2.2.0/lib/openssl/digest.rb:45: warning: previous definition of SHA512 was here
/usr/share/ruby/openssl/digest.rb:52:in `<class:Digest>': superclass mismatch for class Digest (TypeError)
from /usr/share/ruby/openssl/digest.rb:16:in `<module:OpenSSL>'
from /usr/share/ruby/openssl/digest.rb:15:in `<top (required)>'
from -e:1:in `require'
from -e:1:in `<main>'
~~~
We could maintain a downstream patch reverting the `require_relative`,
but given that how much troubles the extracted gems cause, it'll be
better to keep them bundled. This will provide similar experience to
upstream and prevent similar issues.
[1]: https://bugs.ruby-lang.org/issues/16978#note-11
When the `gem.build_complete` file is not present, Bundler treats the
package as uninstalled, therefore leaves it out from the dependency
resolution with error such as:
~~~
Could not find gem 'openssl', which is required by gem 'net-ssh', in any of the sources.
~~~
[1] 1969e8adfc/bundler/lib/bundler/source/rubygems.rb (L353-L384)
This fixes IRB failures:
~~~
$ irb
/usr/share/rubygems/rubygems/specification.rb:1398:in `rescue in block in activate_dependencies': Could not find 'io-console' (~> 0.5) among 76 total gem(s) (Gem::MissingSpecError)
Checked in 'GEM_PATH=/builddir/.local/share/gem/ruby:/usr/share/gems:/usr/local/share/gems' at: /usr/share/gems/specifications/reline-0.2.0.gemspec, execute `gem env` for more information
from /usr/share/rubygems/rubygems/specification.rb:1395:in `block in activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `each'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1366:in `activate'
from /usr/share/rubygems/rubygems/specification.rb:1402:in `block in activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `each'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1366:in `activate'
from /usr/share/rubygems/rubygems.rb:302:in `block in activate_bin_path'
from /usr/share/rubygems/rubygems.rb:301:in `synchronize'
from /usr/share/rubygems/rubygems.rb:301:in `activate_bin_path'
from /usr/bin/irb:23:in `<main>'
/usr/share/rubygems/rubygems/dependency.rb:307:in `to_specs': Could not find 'io-console' (~> 0.5) among 76 total gem(s) (Gem::MissingSpecError)
Checked in 'GEM_PATH=/builddir/.local/share/gem/ruby:/usr/share/gems:/usr/local/share/gems' , execute `gem env` for more information
from /usr/share/rubygems/rubygems/specification.rb:1396:in `block in activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `each'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1366:in `activate'
from /usr/share/rubygems/rubygems/specification.rb:1402:in `block in activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `each'
from /usr/share/rubygems/rubygems/specification.rb:1384:in `activate_dependencies'
from /usr/share/rubygems/rubygems/specification.rb:1366:in `activate'
from /usr/share/rubygems/rubygems.rb:302:in `block in activate_bin_path'
from /usr/share/rubygems/rubygems.rb:301:in `synchronize'
from /usr/share/rubygems/rubygems.rb:301:in `activate_bin_path'
from /usr/bin/irb:23:in `<main>'
~~~
RubyGems 3.2.0 rewored their plugins system for improvement performance
[[1]]. Each RubyGems plugins has now generated loader stub during
installation. This directory needs to have proper ownership.
[1]: https://github.com/rubygems/rubygems/pull/3108
* Extract RSS and REXML into separate subpackages, because they were moved from
default gems to bundled gems.
* Obsolete Net::Telnet and XMLRPC packages, because they were dropped from Ruby.
The detailed changelog leading to this release is preserved in
private-ruby-3.0 branch.
as it's needed for building (gem install ...) gems with binary extensions.
This is a workaround to have /usr/lib/rpm/redhat/redhat-hardened-cc1
on the system, as same CFLAGS are reused from when Ruby was built.
Resolves: rhbz#1905222
Because setting the option makes some tests stable that are currently randomly
failing with error on especially s390x and aarch64.
We observed the failing tests are calling `assert_in_out_err` method
calling `invoke_ruby` calling method.
Then when the `th_stdout.join(timeout)` or `th_stderr.join(timeout)` returns
`nil` as thread timeout in `invoke_ruby` method, it causes the error. [1][2]
The `test_timeout_scale` macro is to set the environment variable
`RUBY_TEST_TIMEOUT_SCALE` to increase the timeout in `apply_timeout_scale`
method as <new timeout> = <timeout> * <timeout scale>.
As an example, `TestBugReporter#test_bug_reporter_add` test's
maximum thread timeout was 56+ seconds for the default timeout 10 seconds. [3]
In this case setting `RUBY_TEST_TIMEOUT_SCALE=6` (6 * 10 = 60) is good enough
for 56+ seconds.
[1] https://github.com/ruby/ruby/blob/v2_7_1/tool/lib/envutil.rb#L149
[2] https://bugs.ruby-lang.org/issues/16492#note-8
[3] https://bugs.ruby-lang.org/issues/16492#note-4
Independent rubygems package used to provide rubygems-devel subpackages,
but this is going to change to ease the independent rubygems package
maitenance and therefore ruby package will become the ultimate source of
rubygems-devel package.
It is increasingly hard to maintain default gems extracted from StdLib
into gems. If they are overlapped by independent versions, it is even
harder, because the overlapped versions would need to provide symlinks
back to StdLib \[[1]\]. On top of that, the layout differs from
upstream, where default gems are always available.
Because these small nuances can make hard discoverable race conditions
during Ruby application loading and runtime, it will be best to keep the
default gems bundled.
[1]: https://src.fedoraproject.org/rpms/rubygem-racc/pull-request/1
This is needed to compile zlib support. I think it is by accident available in the original buildroot, but not in mine.
I think it is better to explicitly name it.
During update, RPM cannot simply replace directory by link to direcotry,
therefore create the directory structure and link the files there one by
one (rhbz#1691039).
This avoids issues running `$ bin/rails console --sandbox`, which
otherwise breaks with error such as:
~~~
$ bin/rails console --sandbox
Traceback (most recent call last):
12: from bin/rails:4:in `<main>'
11: from bin/rails:4:in `require'
10: from /builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/commands.rb:18:in `<top (required)>'
9: from /builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/command.rb:44:in `invoke'
8: from /builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/command.rb:70:in `find_by_namespace'
7: from /builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/command/behavior.rb:79:in `lookup'
6: from /builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/command/behavior.rb:79:in `each'
5: from /builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/command/behavior.rb:80:in `block in lookup'
4: from /builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/command/behavior.rb:80:in `each'
3: from /builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/command/behavior.rb:84:in `block (2 levels) in lookup'
2: from /builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/command/behavior.rb:84:in `require'
1: from /builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/commands/console/console_command.rb:3:in `<top (required)>'
/builddir/.gem/ruby/gems/railties-5.2.2.1/lib/rails/commands/console/console_command.rb:3:in `require': cannot load such file -- irb (LoadError)
~~~
The macros need to be udpated, since RPM 4.14+ can expand .gem files and
also also provide %{gem_name}.gemspec file used to rebuild the gem.
However, the .gemspec file is not in current directory, but directly in
%{_builddir}.
