This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues: Changes in ruby2.5: Update to 2.5.5 and 2.5.4: https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/ Security issues fixed: - CVE-2019-8320: Delete directory using symlink when decompressing tar - CVE-2019-8321: Escape sequence injection vulnerability in verbose - CVE-2019-8322: Escape sequence injection vulnerability in gem owner - CVE-2019-8323: Escape sequence injection vulnerability in API response handling - CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution - CVE-2019-8325: Escape sequence injection vulnerability in errors Ruby 2.5 was updated to 2.5.3: This release includes some bug fixes and some security fixes. Security issues fixed: - CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives - CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly Ruby 2.5 was updated to 2.5.1: This release includes some bug fixes and some security fixes. Security issues fixed: - CVE-2017-17742: HTTP response splitting in WEBrick - CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir - CVE-2018-8777: DoS by large request in WEBrick - CVE-2018-8778: Buffer under-read in String#unpack - CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket - CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir - Multiple vulnerabilities in RubyGems were fixed: - CVE-2018-1000079: Fixed path traversal issue during gem installation allows to write to arbitrary filesystem locations - CVE-2018-1000075: Fixed infinite loop vulnerability due to negative size in tar header causes Denial of Service - CVE-2018-1000078: Fixed XSS vulnerability in homepage attribute when displayed via gem server - CVE-2018-1000077: Fixed that missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL - CVE-2018-1000076: Fixed improper verification of signatures in tarball allows to install mis-signed gem - CVE-2018-1000074: Fixed unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML - CVE-2018-1000073: Fixed path traversal when writing to a symlinked basedir outside of the root Other changes: - Fixed Net::POPMail methods modify frozen literal when using default arg - ruby: change over of the Japanese Era to the new emperor May 1st 2019 - build with PIE support Changes in ruby-bundled-gems-rpmhelper: - Add a new helper for bundled ruby gems.