rubygems (3.2.5-2+deb11u1) bullseye-security; urgency=medium

  * Fix CVE-2025-27221.
    The URI handling methods (URI.join, URI#merge, URI#+) have an
    inadvertent leakage of authentication credentials because userinfo is
    retained even after changing the host.
     - d/p/CVE-2025-27221_*.patch
  * Fix CVE-2023-28755.
    A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby
    through 3.2.1. The URI parser mishandles invalid URLs that have specific
    characters. It causes an increase in execution time for parsing strings
    to URI objects.
     - d/p/CVE-2023-28755.patch
  * Fix CVE-2021-43809.
    In bundler versions before 2.2.33, when working with untrusted and
    apparently harmless `Gemfile`'s, it is not expected that they lead to
    execution of external code, unless that's explicit in the ruby code
    inside the `Gemfile` itself. However, if the `Gemfile` includes `gem`
    entries that use the `git` option with invalid, but seemingly harmless,
    values with a leading dash, this can be false. To handle dependencies
    that come from a Git repository instead of a registry, Bundler uses
    various commands, such as `git clone`. These commands are being
    constructed using user input (e.g. the repository URL). When building
    the commands, Bundler versions before 2.2.33 correctly avoid Command
    Injection vulnerabilities by passing an array of arguments instead of a
    command string. However, there is the possibility that a user input
    starts with a dash (`-`) and is therefore treated as an optional
    argument instead of a positional one. This can lead to Code Execution
    because some of the commands have options that can be leveraged to run
    arbitrary executables.
     - d/p/CVE-2021-43809.patch
  * d/t/control: add libyaml-dev to Depends of testsuite. Fix autopkgtest
    failure.

 -- Lucas Kanashiro <kanashiro@debian.org>  Wed, 23 Apr 2025 15:49:41 -0300

rubygems (3.2.5-2) unstable; urgency=medium

  [ Antonio Terceiro ]
  * Skip tests that fail if Gem.disable_system_update_message is set

 -- Lucas Kanashiro <kanashiro@debian.org>  Wed, 13 Jan 2021 16:45:32 -0300

rubygems (3.2.5-1) unstable; urgency=medium

  * New upstream release.

 -- Lucas Kanashiro <kanashiro@debian.org>  Tue, 12 Jan 2021 09:31:00 -0300

rubygems (3.2.4-2) unstable; urgency=medium

  * d/p/0003-Gem-Ext-Builder-accept-custom-make-command-with-extr.patch: make
    extension builder accept custom make command.
  * d/ruby-tests.skip: re-enable some tests and skip new ones. The new patch
    applied makes some tests pass again but there still are some escape
    issues.

 -- Lucas Kanashiro <kanashiro@debian.org>  Mon, 11 Jan 2021 17:23:29 -0300

rubygems (3.2.4-1) unstable; urgency=medium

  * New upstream release.
  * d/ruby-tests.skip: add the failing tests related to native extensions.
    There is an issue on how those tests are set up to build native
    extensions, needs further investigation.
  * d/ruby-bundler.manpages: update path of the manpages changed by upstream.
  * Declare compliance with Debian Policy 4.5.1.

 -- Lucas Kanashiro <kanashiro@debian.org>  Fri, 08 Jan 2021 17:49:46 -0300

rubygems (3.2.0~rc.2-6) unstable; urgency=medium

  * debian/control: fix installability issue on i386.
    - Make ruby-rubygems depend on ruby:any.
    - Mark ruby-rubygems as Multi-Arch: foreign.

 -- Lucas Kanashiro <kanashiro@debian.org>  Thu, 07 Jan 2021 09:26:56 -0300

rubygems (3.2.0~rc.2-5) unstable; urgency=medium

  * d/t/autopkgtest-pkg-ruby.conf: add dependency on build-essential. The
    DEP-8 test generated by autodep8 requires build-essential to build a
    native gem.

 -- Lucas Kanashiro <kanashiro@debian.org>  Mon, 07 Dec 2020 18:46:19 -0300

rubygems (3.2.0~rc.2-4) unstable; urgency=medium

  * d/t/testsuite: do not create a predictable tmp dir, it might exist
    already.
  * d/ruby-tests.rake: set the test dir when executed with autopkgtest.
  * d/ruby-tests.skip: add tests failing with autopkgtest. Those are harmless
    tests, they fail due to rubygems-integration changes.
  * d/t/control:
    - Split the tests in different paragraphs. We can have a tighter
      definition of restrictions and dependencies for each test.
    - Add needs-internet restriction to testsuite.
    - Make testsuite build depend on build dependencies.
  * d/control:
    - Add b-d on ruby-dev.
    - Remove unneeded build and runtime dependencies. They are ruby-molinillo,
      ruby-thor, ruby-net-http-persistent. They are shipped as vendor code.

 -- Lucas Kanashiro <kanashiro@debian.org>  Fri, 27 Nov 2020 15:11:02 -0300

rubygems (3.2.0~rc.2-3) unstable; urgency=medium

  * Remove d/p/0001-Replace-bundled-libraries-with-system-versions.patch.
    bundler has some custom code on top of the bundled libraries which is
    needed to make it work properly. Due to that is not possible to use external
    code at the moment.
  * d/t/testsuite: properly set local path according to bundler 2. The --path
    option in the bundle call is deprecated.

 -- Lucas Kanashiro <kanashiro@debian.org>  Thu, 26 Nov 2020 11:14:41 -0300

rubygems (3.2.0~rc.2-2) unstable; urgency=medium

  * Skip tests which require Internet connection (Closes: #974102)

 -- Lucas Kanashiro <kanashiro@debian.org>  Wed, 18 Nov 2020 15:07:01 -0300

rubygems (3.2.0~rc.2-1) unstable; urgency=medium

  * Update Net::HTTP::Persistent path in the patch to use the system version.
  * New upstream version 3.2.0~rc.2

 -- Lucas Kanashiro <kanashiro@debian.org>  Mon, 09 Nov 2020 10:32:00 -0300

rubygems (3.2.0~rc.1-3) unstable; urgency=medium

  * d/p/0001-Replace-bundled-libraries-with-system-versions.patch: make
    bundler use libraries from the system.
  * Add b-d on ruby-molinillo and ruby-thor.
  * Add patches to make bundler better handle temporary directories:
    - d/p/0002-Don-t-use-insecure-temporary-directory-as-home-direc.patch
    - d/p/0003-Remove-temporary-home-directories.patch
  * Add debian revision to bundler version string (Closes: #972490)

 -- Lucas Kanashiro <kanashiro@debian.org>  Thu, 05 Nov 2020 16:09:55 -0300

rubygems (3.2.0~rc.1-2) unstable; urgency=medium

  [ Cédric Boutillier ]
  * Update team name
  * Add .gitattributes to keep unwanted files out of the source package

 -- Lucas Kanashiro <kanashiro@debian.org>  Sun, 18 Oct 2020 23:41:21 -0300

rubygems (3.2.0~rc.1-1) unstable; urgency=medium

  * Initial release.
    - Upstream bundler source code is now hosted in the same git repository as
      rubygems, due to that this new source package is introduced and it will
      provide the binaries previously provided by src:bundler (ruby-bundler
      and bundler). src:bundler will be removed after src:rubygems is accepted.

 -- Lucas Kanashiro <kanashiro@debian.org>  Fri, 17 Jul 2020 16:11:02 -0300
