On Wed, Jun 07, 2023 at 01:43:26PM +0530, Utkarsh Gupta wrote: > Hi Chris, > > On Wed, Jun 7, 2023 at 12:56 PM Salvatore Bonaccorso <car...@debian.org> > wrote: > > Can you please have a look, as this seems to be caused by the DLA > > issued as DLA-3447-1. > > This has been caused by the ruby2.5 update.
It's definitely related to the fix for CVE-2023-28755, reverting that patch unbreaks Puppet. I'd recommend to go ahead with a revert for now. > Can you please TAL? This > is perhaps because of the URI version in buster v/s URI version > upstream. The upstream patch was supposed to be for 3.2 and was not > 2.5 compliant. Let me know if you'd like me to help. Specifically https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ states: | For Ruby 2.7: Update to uri 0.10.0.1 | For Ruby 3.0: Update to uri 0.10.2 | For Ruby 3.1: Update to uri 0.11.1 | For Ruby 3.2: Update to uri 0.12.1 And the 0.10 change (https://github.com/ruby/uri/commit/17861a53e499a2eabf7ba83d63914d0f01921d70) is different from the 0.12 one (https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175) There might be other changes needed for 2.5, not sure. Cheers, Moritz
