Ruby 3.3.6 is a routine update that includes minor bug fixes. It also
stops warning missing default gem dependencies that will be bundled gems
in Ruby 3.5.
Link: https://github.com/ruby/ruby/releases/tag/v3_3_6
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Since ruby 3.3.0, yjit was converted into rust code. During build, ruby will try try to use the whatever rustc is available in $PATH, including the one provided by the OS. Variations in that rustc can generate something between a perfect funcional build with yjit enabled and a broken build like this (from github actions):
2024-10-16T05:06:05.9863422Z linking static-library libruby-static.a
2024-10-16T05:06:06.0625182Z LLVM ERROR: Invalid encoding
2024-10-16T05:06:06.1531894Z make[4]: *** [Makefile:318: libruby-static.a] Aborted (core dumped)
Ruby 3.3.5 still only supports yjit for x86_64 and aarch64. Even for those targets, ruby build does not support cross-compiling.
This commit adds rust as a dependency for those supported archs, even when cross-compiling, to let it work when host and target arch matches.
We don't need yjit for host build and we can disable it.
Closes#25151, #25052
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Ruby 3.3.4 fixes a regression in Ruby 3.3.3 that dependencies are
missing in the gemspec of some bundled gems: net-pop, net-ftp, net-imap,
and prime. The fix allows Bundler to successfully install those gems on
platforms like Heroku. If your bundle install runs correctly now, you
may not have this issue. Other changes are mostly minor bug fixes.
See: https://www.ruby-lang.org/en/news/2024/07/09/ruby-3-3-4-released/
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Ruby 3.3 adds a new parser named Prism, uses Lrama as a parser
generator, adds a new pure-Ruby JIT compiler named RJIT, and many
performance improvements especially YJIT.
See: https://www.ruby-lang.org/en/news/2023/12/25/ruby-3-3-0-released/
The 3.3.1 release includes security fixes.
- CVE-2024-27282: Arbitrary memory address read vulnerability with Regex search
- CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
- CVE-2024-27280: Buffer overread vulnerability in StringIO
See: https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-3-1-released/
The 3.3.2 release includes many bug-fixes.
See: https://www.ruby-lang.org/en/news/2024/05/30/ruby-3-3-2-released/
Packaging changes since 3.2.2:
- New packages: ruby-prism and ruby-rjit
- Added /usr/bin/rdbg to ruby-debug
- Added /usr/bin/syntax_suggest to ruby-syntax_suggest
The 3.3.3 release includes:
- RubyGems 3.5.11
- Bundler 2.5.11
- REXML 3.2.8
- strscan 3.0.9
- --dump=prism_parsetree is replaced by --parser=prism --dump=parsetree
- Invalid encoding symbols raise SyntaxError instead of EncodingError
- Memory leak fix in Ripper parsing
- Bugfixes for YJIT, **{}, Ripper.tokenize,
- RubyVM::InstructionSequence#to_binary, --with-gmp, and some build
environments
See: https://www.ruby-lang.org/en/news/2024/06/12/ruby-3-3-3-released/
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Ruby uses extensions (.so files) that might also depend on other
libraries. When the linker builds an executable, it will refer to the
path it found the library, including those in the stagging dir. However,
when it links a shared library (like ruby exts), it will let that
dependency to be resolved at runtime.
During host and target build, ruby build script runs ruby scripts. When
it loads a ext that depends on another library, it will, by default,
look for the system libraries to satisfy that, breaking the build when
it fails. Setting LD_LIBRARY_PATH to the stagging lib dir is a valid
workaround.
Ruby can also be built statically linking all exts into ruby executable.
That will make the linker point to the stagging library path, fixing the
issue. It was used in the past but, at some point, ruby broke it. Now it
is working as expected.
Closes#20839
While at it, clean up excluded extensions not used by host ruby.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes security fixes. Please check the topics below for
details.
- CVE-2023-28755: ReDoS vulnerability in URI
- CVE-2023-28756: ReDoS vulnerability in Time
See https://github.com/ruby/ruby/releases/tag/v3_2_2 for further details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
LibreSSL 3.5 and later provide and need to use
PEM_write_bio_PrivateKey_traditional()
upstream commit:
e25fb0d0d8b02815271f
Signed-off-by: ZiMing Mo <msylgj@immortalwrt.org>
1. ruby/host build fails on macos due to Apple ld generates warning
if a folder from LDFLAGS is not exist. configure script catches this
warning and fails. This patch disables ld warnings for macos
2. ruby build fails on macos due /bin/true is not exist on macos.
This patch replaces /bin/true with true in OpenWrt Makefile
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
This release fixes some bugs and these vulnerabilities:
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Fixes two CVEs:
CVE-2021-28965: XML round-trip vulnerability in REXML
CVE-2021-28966: Path traversal in Tempfile on Windows
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
This release contains intentional incompatibility. Deprecation warnings are
off by default on 2.7.2 and later. You can turn on deprecation warnings by
specifying the -w or -W:deprecated option at the command-line. Please check
the topics below for details.
* Feature #17000 2.7.2 turns off deprecation warnings by default
* Feature #16345 Don’t emit deprecation warnings by default.
This release contains the new version of webrick with a security fix described in the article.
* CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This activates following extensions:
* io/nonblock
* io/wait
* openssl
* pathname
* ipper
* socket
* zlib
zlib and socket are required for gem so they should be just enabled
because otherwise it does not make sense to provide host gem at all.
The rest of extensions are activated to support compass.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
Bug fixes and a security update of the bundled RubyGems:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Fix only release, including:
* CVE-2018-16396: Tainted flags are not propagated in Array#pack
and String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes some bug fixes and a security fix.
CVE-2017-17405: Command injection vulnerability in Net::FTP
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release contains some security fixes.
CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure in generating JSON
Multiple vulnerabilities in RubyGems
Update bundled libyaml to version 0.1.7.
And many other bugfix.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
There might be no ABI breakage when the first two number
of version are the same.
(No change on generated packages. No need to bumb release)
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
As both LEDE and OpenWrt have STAGING_DIR_HOSTPKG now, we can start to rely
on it. See 73b7f55424 for more information on
STAGING_DIR_HOSTPKG.
STAGING_DIR_HOSTPKG won't actually be changed before the first LEDE release
(it is equivalent to $(STAGING_DIR)/host), so this simple search/replace
cleanup is safe to apply. Doing this cleanup now will be useful for the
Gluon project (an OpenWrt/LEDE based firmware framework) for experimenting
with modifying STAGING_DIR_HOSTPKG before doing this in the LEDE upstream.
Also fixes a typo in the dbus Makefile ("STAGIND_DIR").
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This is a stable feature release.
Notable changes:
- Introduce hash table improvement (by Vladimir Makarov)
- Binding#irb: Start a REPL session similar to binding.pry
- Unify Fixnum and Bignum into Integer
- String supports Unicode case mappings
- Performance improvements
- Thread#report_on_exception and Thread.report_on_exception changes
- Thread deadlock detection now shows threads with their backtrace and dependency
- Support OpenSSL 1.1.0 (drop support for 0.9.7 or prior)
- ext/tk is now removed from stdlib Feature #8539
- XMLRPC is now removed from stdlib Feature #12160
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release contains a bug fix about Refinements and Module#prepend.
The mixture use of Module#refine and Module#prepend to the same Class
could cause unexpected NoMethodError. This is a regression on Ruby 2.3.2
released last week. See [Bug #12920] for details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release contains update of RubyGems 2.5.2 and update of included ssl certificates.
There are many bugfixes too. See the http://svn.ruby-lang.org/repos/ruby/tags/v2_3_2/ChangeLog
for details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
New feature release for ruby.More info:
https://www.ruby-lang.org/en/news/2015/12/25/ruby-2-3-0-released/
Patches changes:
(-) 001-rdoc-remove_gems_dep.patch was merged
(+) 001-acinclude.m4_rename_aclocal.m4.patch backported from upstream.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
ruby subpackages now are generated by a macro. This reduces the
Makefile size by half and the chance of errors.
No change in packages contents, install-size or dependencies, except
for some removed doc files.
Improved ruby_missingfiles and ruby_find_pkgsdeps script
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes a security fix for Fiddle extension.
* CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL
There are also some bugfixes.
In package, now LD_FLAGS is copied to DLD_FLAGS (used by ruby for libraries).
The missing values from LD_FLAGS cause build error when gcc does not implicitly
include staging/usr/lib.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This is a bug and security fix release, including:
- CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier
http://svn.ruby-lang.org/repos/ruby/tags/v2_2_3/ChangeLog
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
libyaml is an optional dep for ruby psych. When missing, it uses
a bundled version of yaml. However, when libyaml is present in
openwrt build, ruby-psych packaging failed with deps not declared.
Now libyaml is configured as a hard dep for ruby-psych.
Also, the tk module was disabled in order to avoid a possible similar
problem if tk+x11 is provided in openwrt build. It was currently not
build because of missing deps.
Other minor changes:
- win32* modules where disabled (avoid err msg, no compile changes)
- Some files where removed in 2.2.x (like gserver.rb). They were already
not packaged but generates a build warning message. Now removed from install.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This is a small ruby release, mainly to fix
CVE-2015-1855: Ruby OpenSSL Hostname Verification
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Luiz Angelo Daros de Luca