-
ruby2.3 (2.3.6-2) unstable; urgency=medium
* debian/patches/0011-Increase-timeout-to-avoid-build-failures-on-mips.patch:
increase timeout in both tests that have one
(now hopefully really Closes: #882404)
* debian/rules: run tests in verbose mode during build
* autopkgtest: make use of the text exclusion rules under test/excludes/
-- Antonio Terceiro <email address hidden> Fri, 22 Dec 2017 15:45:29 -0200
-
ruby2.3 (2.3.6-1) unstable; urgency=medium
[ Antonio Terceiro ]
* New upstream version 2.3.6
* Update symbols file
* Refresh patches.
0011-Whitelist-classes-and-symbols-that-are-in-Gem-spec-Y.patch:
dropped, applied upstream
[ Adrian Bunk ]
* Force exact precision on i386 (Closes: #881804)
[ James Cowgill ]
* Increase timeout to avoid build failures on mips* (Closes: #882404)
[ Matthias Klose ]
* Update symbols file (Closes: #881848)
* Skip tests that fail on Launchpad builders
-- Antonio Terceiro <email address hidden> Fri, 22 Dec 2017 11:19:41 -0200
-
ruby2.3 (2.3.5-1) unstable; urgency=medium
* New upstream release.
- Includes fix for building with GCC 7 (Closes: #853648)
- Included security fixes
- Buffer underrun vulnerability in OpenSSL ASN1 decode
[CVE-2017-14033] (Closes: #875928)
- Escape sequence injection vulnerability in the Basic authentication of
WEBrick
[CVE-2017-10784] (Closes: #875931)
- Buffer underrun vulnerability in Kernel.sprintf
[CVE-2017-0898] (Closes: #875936)
- Multiple security vulnerabilities in Rubygems (Closes: #873802)
- DNS request hijacking vulnerability. Discovered by Jonathan
Claudius, fix by Samuel Giddins.
[CVE-2017-0902]
- ANSI escape sequence vulnerability. Discovered by Yusuke Endoh,
fix by Evan Phoenix.
[CVE-2017-0899]
- DOS vulernerability in the query command. Discovered by Yusuke
Endoh, fix by Samuel Giddins.
[CVE-2017-0900]
- Vulnerability in the gem installer that allowed a malicious gem to
overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel
Giddins.
[CVE-2017-0901]
- Arbitrary heap exposure problem in the JSON library
[CVE-2017-14064] (Closes: #873906)
- SMTP comment injection
[CVE-2015-9096] (Closes: #864860)
- IV Reuse in GCM Mode in the OpenSSL bindings
[CVE-2016-7798] (Closes: #842432)
* Whitelist classes and symbols that are in Gem spec YAML
[CVE-2017-0903] (Closes: #879231)
Original patch by Aaron Patterson; backported from the standalone Rubygems
package
* Convert packaging from using a plain git history to using gbp-pq, thus
making debian individual patches explicitly present in debian/patches
* Refresh debian/libruby2.3.symbols. There are some removed symbols, but
they are never exposed in a header file so there should be no packages
using them.
-- Antonio Terceiro <email address hidden> Tue, 14 Nov 2017 11:06:39 -0200
-
ruby2.3 (2.3.3-1+deb9u2) stretch-security; urgency=high
* asn1: fix out-of-bounds read in decoding constructed objects
[CVE-2017-14033] (Closes: #875928)
Original patch by Kazuki Yamaguchi; backported from the standalone openssl package
* lib/webrick/log.rb: sanitize any type of logs
[CVE-2017-10784] (Closes: #875931)
Original patch by Yusuke Endoh; backported to Ruby 2.3 by Usaku NAKAMURA
* fix Buffer underrun vulnerability in Kernel.sprintf
[CVE-2017-0898] (Closes: #875936)
Backported to Ruby 2.3 by Usaku NAKAMURA
* Whitelist classes and symbols that are in Gem spec YAML
[CVE-2017-0903] (Closes: #879231)
Original patch by Aaron Patterson; backported from the standalone Rubygems
package
* thread_pthread.c: do not wakeup inside child processes
Avoid child Ruby processed being stuck in a busy loop (Closes: #876377)
Original patch by Eric Wong
-- Antonio Terceiro <email address hidden> Sun, 22 Oct 2017 12:45:48 -0200
-
ruby2.3 (2.3.3-1+deb9u1) stretch-security; urgency=high
* Fix arbitrary heap exposure problem in the JSON library (Closes: #873906)
[CVE-2017-14064]
- Backported for Ruby 2.3 by Hiroshi SHIBATA <email address hidden>
https://bugs.ruby-lang.org/issues/13853
* Fix multiple security vulnerabilities in Rubygems (Closes: #873802)
- Fix a DNS request hijacking vulnerability. Discovered by Jonathan
Claudius, fix by Samuel Giddins.
[CVE-2017-0902]
- Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh,
fix by Evan Phoenix.
[CVE-2017-0899]
- Fix a DOS vulernerability in the query command. Discovered by Yusuke
Endoh, fix by Samuel Giddins.
[CVE-2017-0900]
- Fix a vulnerability in the gem installer that allowed a malicious gem to
overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel
Giddins.
[CVE-2017-0901]
* Fix SMTP comment injection (Closes: #864860)
Patch by Shugo Maeda <email address hidden>
[CVE-2015-9096]
* Fix IV Reuse in GCM Mode (Closes: #842432)
Patch by Kazuki Yamaguchi <email address hidden>
[CVE-2016-7798]
-- Antonio Terceiro <email address hidden> Sat, 02 Sep 2017 15:11:07 -0300
-
ruby2.3 (2.3.3-1) unstable; urgency=medium
* New upstream version.
-- Christian Hofstaedtler <email address hidden> Tue, 22 Nov 2016 12:32:41 +0000
-
ruby2.3 (2.3.2-1) unstable; urgency=medium
* New upstream version.
-- Christian Hofstaedtler <email address hidden> Wed, 16 Nov 2016 01:31:08 +0000
-
ruby2.3 (2.3.1-6) unstable; urgency=medium
* debian/rules: honor 'nocheck' flag in DEB_BUILD_OPTIONS (Closes: #842768).
Thanks to John Paul Adrian Glaubitz for the patch.
* Build-Depends on libssl1.0-dev. Ruby 2.3 is not likely to get OpenSSL 1.1
compatibility (see #828535)
-- Antonio Terceiro <email address hidden> Wed, 09 Nov 2016 14:38:59 -0200
-
ruby2.3 (2.3.1-5) unstable; urgency=medium
* Increase timeout for test_array.rb test_permutation_stack_error,
as Array#permutation is very slow on armel, mips, mipsel.
Forwarded to upstream as issue #12502.
* Disable test_process.rb test_aspawn_too_long_path, as it uses ~2GB
of RAM and a lot of CPU time before finally failing on mips, mipsel.
Forwarded to upstream as issue #12500.
* Increase timeout for test_gc.rb test_gc_parameter, for mips, mipsel.
-- Christian Hofstaedtler <email address hidden> Fri, 17 Jun 2016 23:30:49 +0000
-
ruby2.3 (2.3.1-4) unstable; urgency=medium
* Backport some test changes from Ruby trunk, to fix (some) build
failures on archs other than amd64, i386, ppc64el, s390x.
-- Christian Hofstaedtler <email address hidden> Wed, 15 Jun 2016 07:32:02 +0000
-
ruby2.3 (2.3.1-3) unstable; urgency=medium
* Replace libruby2.3-dbg with automatic dbgsym packages.
* Avoid unreproducible rbconfig.rb (always use bash to build).
* rdoc: sort input filenames in a consistent way (for reproducible).
* Run full testsuite during build (make check instead of make test).
-- Christian Hofstaedtler <email address hidden> Tue, 14 Jun 2016 20:47:45 +0000
-
ruby2.3 (2.3.1-2) unstable; urgency=medium
[ Antonio Terceiro ]
* debian/tests/known-failures.txt: remove test that now passes
(test/rinda/test_rinda.rb)
* debian/rules: enable bindnow hardening option (Closes: #822288)
* debian/copyright: update and simplify copyright annotations for Unicode
files under enc/trans/JIS/
* Bump Standards-Version to 3.9.8 (no changes needed)
[ Christian Hofstaedtler ]
* Stop providing ruby-interpreter. Only packages providing
/usr/bin/ruby can be a credible provider of ruby-interpreter.
(Closes: #822072)
* Raise priority to "optional", now that ruby2.2 is gone, although
the value of this change is unclear. (Closes: #822911)
* Apply patch from Reiner Herrmann <email address hidden> to help with
reproducibility of mkmf.rb using packages. (Closes: #825569)
-- Christian Hofstaedtler <email address hidden> Mon, 30 May 2016 12:14:46 +0000
-
ruby2.3 (2.3.1-1) unstable; urgency=medium
* Call make install-doc, install-nodoc with V=1, for diagnosing
build failures.
* New upstream TEENY version.
-- Christian Hofstaedtler <email address hidden> Wed, 27 Apr 2016 07:40:42 +0000
-
ruby2.3 (2.3.0-5) unstable; urgency=medium
* Set gzip embedded mtime field to fixed value for rdoc-generated
compressed javascript data. Helps with reproducibility of rdoc-using
packages.
* Build tcltk extension for Tcl/Tk 8.6.
* Apply patch from upstream to fix crash in Proc binding.
(ruby-core: 74100, trunk r54128, bug #12137). (Closes: #816161)
-- Christian Hofstaedtler <email address hidden> Wed, 16 Mar 2016 23:36:12 +0000
-
ruby2.3 (2.3.0-4) unstable; urgency=medium
* Apply patch from upstream to fix deserializing OpenStruct via Psych,
(ruby-core: 72501, trunk r53366). (Closes: #816358)
-- Christian Hofstaedtler <email address hidden> Tue, 01 Mar 2016 22:41:19 +0100
-
ruby2.3 (2.3.0-3) unstable; urgency=medium
* Explicitly set bundled gem dates. Otherwise these multi-arch same files
differ on different architectures depending on build date.
(Closes: #810321)
* Apply patch from upstream (ruby-core:72736, trunk r53455) to fix extension
builds that use g++.
* Bump Standards-Version to 3.9.7 with no addtl. changes
* d/copyright: Remove rake, no longer bundled.
* Switch Vcs-* URLs to https.
-- Christian Hofstaedtler <email address hidden> Mon, 29 Feb 2016 21:45:51 +0100
-
ruby2.3 (2.3.0-2) unstable; urgency=medium
* debian/libruby2.3.symbols: update with new symbols introduced right before
the final 2.3.0 release.
* libruby2.3: add dependencies on rake, ruby-did-you-mean and
ruby-net-telnet
-- Antonio Terceiro <email address hidden> Sat, 30 Jan 2016 09:20:31 -0200
-
ruby2.3 (2.3.0-1) unstable; urgency=medium
[ Antonio Terceiro ]
* Ruby 2.3
* debian/tests/bundled-gems: check if all libraries that are supposed to be
bundled are present, with a version greater than or equal to the one
specified in gems/bundled_gems
* debian/tests/run-all: filter failures against list of known failures. Pass
if only the tests listed in debian/tests/known-failures.txt fail, fail
otherwise. This will help catch regressions.
* debian/copyright: update wrt new files in the distribution
[ Christian Hofstaedtler ]
* autopkgtest: depend on all packages so we actually have header files
installed.
-- Antonio Terceiro <email address hidden> Mon, 28 Dec 2015 09:17:47 -0300