Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1438736

Summary: Rebase to the latest Ruby 2.4 point release [rhscl-3.1]
Product: Red Hat Software Collections Reporter: Vít Ondruch <vondruch>
Component: rubyAssignee: Vít Ondruch <vondruch>
Status: CLOSED EOL QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rh-ruby24CC: bgollahe, cpelland, hhorak, jkejda, jorton, jpriddy, jrafanie, pvalena
Target Milestone: ---Keywords: FutureFeature, Rebase
Target Release: 3.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rh-ruby24-ruby-2.4.2-86.el6, rh-ruby24-ruby-2.4.2-86.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1506785 (view as bug list) Environment:
Last Closed: 2020-06-18 13:24:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1506785    

Description Vít Ondruch 2017-04-04 10:21:47 UTC 
We should consider rebase to the latest Ruby 2.4 release:

https://www.ruby-lang.org/en/news/2017/03/22/ruby-2-4-1-released/
Comment 4 Pavel Valena 2017-09-15 15:54:15 UTC 
Latest Ruby 2.4 release:
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released/

Contains fixes for:
 - Bug CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
 - Bug CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
 - Bug CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
 - Bug CVE-2017-14064: Heap exposure in generating JSON
 - Multiple vulnerabilities in RubyGems
Comment 5 Joe Rafaniello 2017-09-20 20:12:47 UTC 
We should really ship ruby 2.4.2 with SCL.  What can we do to get traction on this?

2.4.0 and 2.4.1 have serious bugs affecting ManageIQ and probably other people. We cannot use ruby 2.4 from SCL in ManageIQ/CloudForms unless it's rebased to 2.4.2+.

1) When executing instance_exec with symbol.to_proc, it ignores first argument
https://bugs.ruby-lang.org/issues/13074

This breaks factory_girl and other instance_exec code: https://github.com/thoughtbot/factory_girl/issues/980
Fixed in 2.4.1

2) Memory leak recycling stacks for threads in 2.4.1
https://bugs.ruby-lang.org/issues/13772

Unbound memory growth in 2.4.1 affecting rest-client and possibly other code run in threads.

https://github.com/rest-client/rest-client/issues/611
Fixed in ruby 2.4.2.

3) Additionally, the above mentioned CVEs.
Comment 6 Honza Horak 2017-09-21 06:46:00 UTC 
I think async update would make sense here. What is the urgency of this request, Joe?