Bug #21631
open
Backport openssl gem bugfix releases
Description
The openssl gem has made new patch releases for all supported release lines in order to fix a compatibility issue with OpenSSL 3.6.0 (along with other bug fixes such as one for a segfault). Without the compatibility fix, the openssl gem is largely broken for certificate verification with OpenSSL 3.6.0, which then affects other parts of Ruby like net-http.
Ruby 3.4 PR (3.3.0 -> 3.3.1): https://github.com/ruby/ruby/pull/14792
Ruby 3.3 PR (3.2.0 -> 3.2.2): https://github.com/ruby/ruby/pull/14793
I'm not entirely sure what to do for Ruby 3.2. We can update the gem from 3.1.0 to 3.1.2 but that's perhaps out-of-scope for Ruby 3.2 being in security maintenance mode. Would cherry-picking the single compatibility fix commit be acceptable? The issue has been widely noticed already: https://github.com/ruby/openssl/issues/949
Updated by hsbt (Hiroshi SHIBATA) about 3 hours ago
- Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED
Thanks for filing this.
Would cherry-picking the single compatibility fix commit be acceptable? The issue has been widely noticed already: https://github.com/ruby/openssl/issues/949
Agreed. gem install fails because of OpenSSL issue is a major problem with using Ruby. I also would like to backport only https://github.com/ruby/openssl/pull/950 for that issue to Ruby 3.2.
Updated by Bo98 (Bo Anderson) about 3 hours ago
Thanks for taking a look!
Ruby 3.2 PR: https://github.com/ruby/ruby/pull/14797