Version in base suite: 3.0.5-3

Base version: ruby-sinatra_3.0.5-3
Target version: ruby-sinatra_3.0.5-3+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/ruby-sinatra/ruby-sinatra_3.0.5-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/ruby-sinatra/ruby-sinatra_3.0.5-3+deb12u1.dsc

 changelog                    |    7 +++++++
 gbp.conf                     |    1 +
 patches/CVE-2025-61921.patch |   25 +++++++++++++++++++++++++
 patches/series               |    1 +
 4 files changed, 34 insertions(+)

diff -Nru ruby-sinatra-3.0.5/debian/changelog ruby-sinatra-3.0.5/debian/changelog
--- ruby-sinatra-3.0.5/debian/changelog	2023-02-10 11:23:30.000000000 +0000
+++ ruby-sinatra-3.0.5/debian/changelog	2025-10-19 23:02:10.000000000 +0000
@@ -1,3 +1,10 @@
+ruby-sinatra (3.0.5-3+deb12u1) bookworm; urgency=medium
+
+  * Prevent Regexp DoS in ETag generation [CVE-2025-61921] (Closes: #1118290)
+  * debian/gbp.conf: point debian branch to debian/bookworm
+
+ -- Antonio Terceiro <terceiro@debian.org>  Sun, 19 Oct 2025 20:02:10 -0300
+
 ruby-sinatra (3.0.5-3) unstable; urgency=medium
 
   * Team upload
diff -Nru ruby-sinatra-3.0.5/debian/gbp.conf ruby-sinatra-3.0.5/debian/gbp.conf
--- ruby-sinatra-3.0.5/debian/gbp.conf	2023-02-10 11:23:30.000000000 +0000
+++ ruby-sinatra-3.0.5/debian/gbp.conf	2025-10-19 23:02:10.000000000 +0000
@@ -1,2 +1,3 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch = debian/bookworm
diff -Nru ruby-sinatra-3.0.5/debian/patches/CVE-2025-61921.patch ruby-sinatra-3.0.5/debian/patches/CVE-2025-61921.patch
--- ruby-sinatra-3.0.5/debian/patches/CVE-2025-61921.patch	1970-01-01 00:00:00.000000000 +0000
+++ ruby-sinatra-3.0.5/debian/patches/CVE-2025-61921.patch	2025-10-19 23:02:10.000000000 +0000
@@ -0,0 +1,25 @@
+From: gecunps <geraldineelaine.cu@nelnet.net>
+Date: Wed, 8 Oct 2025 11:15:08 +0800
+Subject: Fix regex to prevent redos
+
+This a backport of the original upstream patch.
+
+Signed-off-by: Antonio Terceiro <terceiro@debian.org>
+Link: https://github.com/sinatra/sinatra/pull/2121
+---
+ lib/sinatra/base.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
+index ba330a4..aeff9fd 100644
+--- a/lib/sinatra/base.rb
++++ b/lib/sinatra/base.rb
+@@ -693,7 +693,7 @@ module Sinatra
+     def etag_matches?(list, new_resource = request.post?)
+       return !new_resource if list == '*'
+ 
+-      list.to_s.split(/\s*,\s*/).include? response['ETag']
++      list.to_s.split(',').map(&:strip).include?(response['ETag'])
+     end
+ 
+     def with_params(temp_params)
diff -Nru ruby-sinatra-3.0.5/debian/patches/series ruby-sinatra-3.0.5/debian/patches/series
--- ruby-sinatra-3.0.5/debian/patches/series	2023-02-10 11:23:30.000000000 +0000
+++ ruby-sinatra-3.0.5/debian/patches/series	2025-10-19 23:02:10.000000000 +0000
@@ -2,3 +2,4 @@
 fix-relative-path.patch
 0001-Tests-against-Haml-6.patch
 fix-test-broken-by-ruby-rack.patch
+CVE-2025-61921.patch