diff --git a/rexml-3.3.9.gem b/rexml-3.3.9.gem new file mode 100644 index 0000000000000000000000000000000000000000..2a9931d940f4748b7fb59dbc74247c89c2f2d2d4 Binary files /dev/null and b/rexml-3.3.9.gem differ diff --git a/ruby.spec b/ruby.spec index 8663f90701663764aaf9184875787c74c67b7330..29ad5d16528e980ab217d94870fd28a3c6781968 100644 --- a/ruby.spec +++ b/ruby.spec @@ -20,7 +20,7 @@ %global rake_version 13.0.6 %global rbs_version 2.8.2 %global test_unit_version 3.5.7 -%global rexml_version 3.3.2 +%global rexml_version 3.3.9 %global rss_version 0.2.9 %global syntax_suggest_version 1.1.0 %global typeprof_version 0.21.3 @@ -34,7 +34,7 @@ Name: ruby Version: %{ruby_version} -Release: 147 +Release: 148 Summary: Object-oriented scripting language interpreter License: (Ruby OR BSD-2-Clause) AND (Ruby OR BSD-2-Clause OR GPL-1.0-or-later) AND BSD-3-Clause AND (GPL-3.0-or-later WITH Bison-exception-2.2) AND ISC AND Public Domain AND MIT AND CC0 AND zlib AND Unicode-DFS-2015 URL: https://www.ruby-lang.org/en/ @@ -56,6 +56,9 @@ Source13: test_systemtap.rb %{load:%{SOURCE4}} %{load:%{SOURCE5}} +# Separated source of rexml for security updates +Source6001: https://rubygems.org/downloads/rexml-%{rexml_version}.gem + # Fix ruby_version abuse. # https://bugs.ruby-lang.org/issues/11002 Patch0: ruby-2.3.0-ruby_version.patch @@ -374,6 +377,13 @@ rm -rf ext/fiddle/libffi* cp -a %{SOURCE3} . +# Update rexml.gem by replace it with downloaded gem +( +rm -f gems/rexml*.gem +cp %{S:6001} gems/rexml-%{rexml_version}.gem +sed -i -e 's,rexml 3.3.2,rexml %{rexml_version},' gems/bundled_gems +) + %build autoconf @@ -885,6 +895,11 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %{gem_dir}/specifications/matrix-%{matrix_version}.gemspec %changelog +* Tue Oct 29 2024 Funda Wang - 3.2.5-148 +- update rexml to 3.3.9 +- fix CVE-2024-35176, CVE-2024-41946, CVE-2024-39908 + CVE-2024-41123, CVE-2024-43398, CVE-2024-49761 + * Tue Oct 15 2024 Funda Wang - 3.2.5-147 - update to 3.2.5