Control: tag -1 pending Hello,
Bug #1069968 in ruby reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/ruby-team/ruby/-/commit/2a4748cd80f9db3c66f9cc47c9adac0e57298144 ------------------------------------------------------------------------ Import Debian changes 2.5.5-3+deb10u7 ruby2.5 (2.5.5-3+deb10u7) buster-security; urgency=high . * Non-maintainer upload by the ELTS Security Team. * Fix testsuite * Update test certificates. * Update tests for new tzdata. * Update tests for Git CVE 2022-39253. * Backport assert_linear_performance. * Add missing test for CVE 2023-28756. * Fix flaky test in io_console. * Exclude CI-breaking test TestProcess#test_popen_exit. * Exclude flaky test TestRDocMarkupPreProcess#test_class_post_process. * Exclude flaky test TestTime#test_strftime_no_hidden_garbage. * CVE-2023-36617: follow-up fix for CVE-2023-28755. * CVE-2024-27280: a buffer-overread issue was discovered in StringIO. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. (Closes: #1069966) * CVE-2024-27281: when parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) (Closes: #1067802) * CVE-2024-27282: if attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. (Closes: #1069968) * Fix lintian error: drop obsolete override. ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1069968
