More information about this security flaw is available in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=2358890 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
~~~ $ grep -R crossbeam gc/mmtk/Cargo.lock:name = "crossbeam" gc/mmtk/Cargo.lock: "crossbeam-channel", gc/mmtk/Cargo.lock: "crossbeam-deque", gc/mmtk/Cargo.lock: "crossbeam-epoch", gc/mmtk/Cargo.lock: "crossbeam-queue", gc/mmtk/Cargo.lock: "crossbeam-utils", gc/mmtk/Cargo.lock:name = "crossbeam-channel" gc/mmtk/Cargo.lock: "crossbeam-utils", gc/mmtk/Cargo.lock:name = "crossbeam-deque" gc/mmtk/Cargo.lock: "crossbeam-epoch", gc/mmtk/Cargo.lock: "crossbeam-utils", gc/mmtk/Cargo.lock:name = "crossbeam-epoch" gc/mmtk/Cargo.lock: "crossbeam-utils", gc/mmtk/Cargo.lock:name = "crossbeam-queue" gc/mmtk/Cargo.lock: "crossbeam-utils", gc/mmtk/Cargo.lock:name = "crossbeam-utils" gc/mmtk/Cargo.lock: "crossbeam", gc/mmtk/Cargo.lock: "crossbeam-deque", gc/mmtk/Cargo.lock: "crossbeam-utils", ~~~ I wonder if and how this could affect Ruby 🤔
So according to the README [1], the modular GC API would need to be first enabled by configuration option. Which is not, also confirmed in build.log [1] where there is `checking if building with modular GC support... no`. And if the modular GC was enabled, then the `mmtk` would need to be selected instead of the `default`, which obviously is not the case given the former. Therefore closing this as a NOTABUG. [1]: https://github.com/ruby/ruby/blob/master/gc/README.md [2]: https://kojipkgs.fedoraproject.org//packages/ruby/3.4.2/24.fc43/data/logs/x86_64/build.log