ruby2.5 (2.5.5-1ubuntu1) disco; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/p/rubygems-2388.patch: Allow either Fetcher or OpenSSL exceptions
when using invalid cert in rubygems testcase.
- update the patch with the merged upstream PR: 2507
- various backports for better openssl support (formerly undocumented in
changelog)
+ d/p/0001-openssl-buffering.rb-no-RS-when-output.patch
+ d/p/0006-Workaround-for-old-LibreSSL.patch
* Dropped changes: d/p/1dfc377ae3b174b043d3f0ed36de57b0296b34d0.patch
- upstream
ruby2.5 (2.5.5-1) unstable; urgency=medium
* New upstream version 2.5.5. Includes a series of bug fixes, most notably
for 6 security bugs discovered in Rubygems:
- CVE-2019-8320: Delete directory using symlink when decompressing tar
- CVE-2019-8321: Escape sequence injection vulnerability in verbose
- CVE-2019-8322: Escape sequence injection vulnerability in gem owner
- CVE-2019-8323: Escape sequence injection vulnerability in API response
handling
- CVE-2019-8324: Installing a malicious gem may lead to arbitrary code
execution
- CVE-2019-8325: Escape sequence injection vulnerability in errors
* Rebase patches. The following patches were applied upstream and dropped
from the Debian package:
- 0011-Update-for-tzdata-2018f.patch
- 0012-test-update-test-certificate.patch
-- Gianfranco Costamagna <email address hidden> Thu, 28 Mar 2019 10:47:03 +0100