Change log for ruby2.0 package in Ubuntu

124 of 24 results
Published in trusty-updates on 2019-04-11
Published in trusty-security on 2019-04-11
ruby2.0 (2.0.0.484-1ubuntu2.13) trusty-security; urgency=medium

  * SECURITY UPDATE: Delete directory using symlink when decompressing tar,
    Escape sequence injection vulnerability in gem owner, Escape sequence
    injection vulnerability in API response handling, Arbitrary code exec,
    Escape sequence injection vulnerability in errors
    - debian/patches/CVE-2019-8320-25.patch: fix in
      lib/rubygems/command_manager.rb,
      lib/rubygems/commands/owner_command.rb,
      lib/rubygems/gemcutter_utilities.rb,
      lib/rubygems/installer.rb,
      lib/rubygems/package.rb,
      test/rubygems/test_gem_installer.rb,
      test/rubygems/test_gem_package.rb,
      test/rubygems/test_gem_text.rb.
    - CVE-2019-8320
    - CVE-2019-8321
    - CVE-2019-8322
    - CVE-2019-8323
    - CVE-2019-8324
    - CVE-2019-8325
  * Fixing expired certification that causes tests to fail
    - debian/patches/fixing_expired_SSL_certificates.patch: updating certs in
      test/net/imap/cacert.pen, test/net/imap/server.crt,
      test/net/imap/server.key.

 -- <email address hidden> (Leonidas S. Barbosa)  Fri, 29 Mar 2019 12:53:02 -0300
Superseded in trusty-updates on 2019-04-11
Superseded in trusty-security on 2019-04-11
ruby2.0 (2.0.0.484-1ubuntu2.11) trusty-security; urgency=medium

  * SECURITY UPDATE: Name equality check
    - debian/patches/CVE-2018-16395.patch: fix in
      ext/openssl/ossl_x509name.c.
    - CVE-2018-16395
  * SECURITY UPDATE: Tainted flags not propagted
    - debian/patches/CVE-2018-16396.patch: fix in
      pack.c, test/ruby/test_pack.rb.
    - CVE-2018-16396

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 29 Oct 2018 14:09:40 -0300
Superseded in trusty-updates on 2018-11-05
Superseded in trusty-security on 2018-11-05
ruby2.0 (2.0.0.484-1ubuntu2.10) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS vulnerability in query command
    - debian/patches/CVE-2017-0901-0902.patch
      patch extracted from debian Wheezy.
    - CVE-2017-0901
    - CVE-2017-0902
  * SECURITY UPDATE: Remote code execution
    - debian/patches/CVE-2017-0903.patch: fix in lib/rubygems.rb,
      lib/rubygems/config_file.rb, lib/rubygems/safe_yaml.rb,
      lib/rubygems/specification.rb.
    - CVE-2017-0903
  * SECURITY UPDATE: possibly execute arbitrary commands via a crafted user name
    - debian/patches/CVE-2017-10784.patch: sanitize any type of logs in
      lib/webrick/httpstatus.rb, lib/webrick/log.rb and test/webrick/test_httpauth.rb.
    - CVE-2017-10784
  * SECURITY UPDATE: Arbitrary memory expose during a JSON.generate call
    - debian/patches/CVE-2017-14064.patch: fix this in
      ext/json/ext/generator/generator.c and ext/json/ext/generator/generator.h.
    - CVE-2017-14064
  * SECURITY UPDATE: Malicious format string - buffer overrun
    - debian/patches/CVE-2017-0898.patch: fix in sprintf.c,
      test/ruby/test_sprintf.rb.
    - CVE-2017-0898
  * SECURITY UPDATE: Response splitting attack
    - debian/patches/CVE-2017-17742*.patch: fix in webrick/httpresponse.rb,
    - CVE-2017-17742
  * SECURITY UPDATE: Deserialization untrusted data
    - debian/patches/CVE-2018-1000074.patch fix in
      lib/rubygems/commands/owner_command.rb,
    - CVE-2018-1000074
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-8777*.patch: fix in lib/webrick/httpresponse.rb,
      lib/webrick/httpservlet/filehandler.rb,
    - CVE-2018-8777

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 11 Jun 2018 12:03:55 -0300
Superseded in trusty-updates on 2018-06-14
Superseded in trusty-security on 2018-06-14
ruby2.0 (2.0.0.484-1ubuntu2.9) trusty-security; urgency=medium

  * SECURITY UPDATE: Directory traversal vulnerability
    - debian/patches/CVE-2018-6914.patch: fix in lib/tmpdir.rb,
      test/test_tempfile.rb.
    - CVE-2018-6914
  * SECURITY UPDATE: Buffer under-read
    - debian/patches/CVE-2018-8778.patch: fix in pack.c,
      test/ruby/test_pack.rb.
    - CVE-2018-8778
  * SECURITY UPDATE: Unintended socket
    - debian/patches/CVE-2018-8779.patch: fix in ext/socket/unixsocket.c,
      test/socket/test_unix.rb.
    - CVE-2018-8779
  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-8780.patch: fix in dir.c,
      test/ruby/test_dir.rb.
    - CVE-2018-8780

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 16 Apr 2018 11:03:32 -0300
Superseded in trusty-updates on 2018-04-16
Superseded in trusty-security on 2018-04-16
ruby2.0 (2.0.0.484-1ubuntu2.8) trusty-security; urgency=medium

  * SECURITY REGRESSION: The fix for CVE-2018-1000074 was incomplete
    and will be addressed in a future update.

 -- <email address hidden> (Leonidas S. Barbosa)  Fri, 13 Apr 2018 10:37:58 -0300
Superseded in trusty-updates on 2018-04-13
Superseded in trusty-security on 2018-04-13
ruby2.0 (2.0.0.484-1ubuntu2.6) trusty-security; urgency=medium

  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-1000073.patch: fix in
      lib/rubygems/package.rb.
    - CVE-2018-1000073
  * SECURITY UPDATE: Deserialization untrusted data
    - debian/patches/CVE-2018-1000074.patch fix in
      lib/rubygems/commands/owner_command.rb,
      test/rubygems/test_gem_commands_owner_command.rb.
    - CVE-2018-1000074
  * SECURITY UPDATE: Infinite loop
    - debian/patches/CVE-2018-1000075.patch: fix in
      lib/rubygems/package/tar_header.rb,
      test/rubygems/test_gem_package_tar_header.rb.
    - CVE-2018-1000075
  * SECURITY UPDATE: Improper verification of crypto
    signature
    - debian/patches/CVE-2018-1000076.patch: fix in
      lib/rubygems/package.rb, lib/rubygems/pacage/tar_writer.rb,
      test/rubygems/test_gem_pacakge.rg
    - CVE-2018-1000076
  * SECURITY UPDATE: Validation vulnerability
    - debian/patches/CVE-2018-1000077.patch: fix in
      lib/rubygems/specification.rb,
      test/rubygems/test_gem_specification.rb.
    - CVE-2018-1000077
  * SECURITY UPDATE: Cross site scripting
    - debian/patches/CVE-2018-1000078.patch: fix in
      lib/rubygems/server.rb.
    - CVE-2018-1000078
  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-1000079.patch: fix in
      lib/rubygems/package.rb, test/rubygems/test_gem_package.rb.
    - CVE-2018-1000079

 -- <email address hidden> (Leonidas S. Barbosa)  Tue, 03 Apr 2018 15:37:15 -0300
Superseded in trusty-updates on 2018-04-05
Superseded in trusty-security on 2018-04-05
ruby2.0 (2.0.0.484-1ubuntu2.5) trusty-security; urgency=medium

  * SECURITY UPDATE: command injection through Net::FTP
    - debian/patches/CVE-2017-17405.patch: fix command injection
      in lib/net/ftp.rb, test/net/ftp/test_ftp.rb.
    - CVE-2017-17405

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 18 Dec 2017 15:53:12 -0300
Superseded in trusty-updates on 2018-01-04
Superseded in trusty-security on 2018-01-04
ruby2.0 (2.0.0.484-1ubuntu2.4) trusty-security; urgency=medium

  * SECURITY UPDATE: incorrect hostname matching
    - debian/patches/CVE-2015-1855.patch: implement stricter hostname
      validation per RFC 6125 in ext/openssl/lib/openssl/ssl.rb, added
      tests to test/openssl/test_ssl.rb.
    - CVE-2015-1855
  * SECURITY UPDATE: DoS and possible code execution in Fiddle::Handle
    - debian/patches/CVE-2015-7551.patch: check tainted string arguments in
      ext/fiddle/handle.c, added tests to test/fiddle/test_handle.rb.
    - CVE-2015-7551
  * SECURITY UPDATE: SMTP command injection
    - debian/patches/CVE-2015-9096.patch: don't allow bare CR or LF in
      lib/net/smtp.rb, added test to test/net/smtp/test_smtp.rb.
    - CVE-2015-9096
  * SECURITY UPDATE: type confusion in tcltkip
    - debian/patches/CVE-2016-2337.patch: check argument in
      ext/tk/tcltklib.c.
    - CVE-2016-2337
  * SECURITY UPDATE: heap overflow in Fiddle::Function.new
    - debian/patches/CVE-2016-2339.patch: check arguments in
      ext/fiddle/function.c.
    - CVE-2016-2339
  * SECURITY UPDATE: use of same initialization vector (IV)
    - debian/patches/CVE-2016-7798.patch: don't set dummy key in
      ext/openssl/ossl_cipher.c, added test to test/openssl/test_cipher.rb.
    - CVE-2016-7798
  * debian/rules: add note on enabling the full test suite
  * debian/patches/fix_tests.patch: fix some broken tests.

 -- Marc Deslauriers <email address hidden>  Tue, 20 Jun 2017 07:58:57 -0400
Deleted in vivid-release on 2014-12-02 (Reason: (From Debian) ROM; Obsoleted by ruby2.1; Debian bug #752592)
Deleted in vivid-proposed on 2014-12-02 (Reason: moved to release)
ruby2.0 (2.0.0.484+really457-3ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: denial of service via XML expansion
    - debian/patches/CVE-2014-8090.patch: add REXML::Document#document
      to rexml/document.rb, add warning to rexml/entity.rb, added tests to
      test/rexml/test_document.rb.
    - CVE-2014-8090
 -- Marc Deslauriers <email address hidden>   Wed, 19 Nov 2014 08:48:21 -0500
Obsolete in utopic-updates on 2016-11-03
Obsolete in utopic-security on 2016-11-03
ruby2.0 (2.0.0.484+really457-3ubuntu1.2) utopic-security; urgency=medium

  * SECURITY UPDATE: denial of service via XML expansion
    - debian/patches/CVE-2014-8090.patch: add REXML::Document#document
      to rexml/document.rb, add warning to rexml/entity.rb, added tests to
      test/rexml/test_document.rb.
    - CVE-2014-8090
 -- Marc Deslauriers <email address hidden>   Wed, 19 Nov 2014 08:52:02 -0500
Superseded in trusty-updates on 2017-07-25
Superseded in trusty-security on 2017-07-25
ruby2.0 (2.0.0.484-1ubuntu2.2) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via XML expansion
    - debian/patches/CVE-2014-8090.patch: add REXML::Document#document
      to rexml/document.rb, add warning to rexml/entity.rb, added tests to
      test/rexml/test_document.rb.
    - CVE-2014-8090
 -- Marc Deslauriers <email address hidden>   Wed, 19 Nov 2014 08:53:33 -0500
Superseded in vivid-release on 2014-11-20
Deleted in vivid-proposed on 2014-11-22 (Reason: moved to release)
ruby2.0 (2.0.0.484+really457-3ubuntu2) vivid; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overrun in encodes
    function
    - debian/patches/CVE-2014x-4975.patch: properly calculate buffer size
      in pack.c, added test to test/ruby/test_pack.rb.
    - CVE-2014-4975
  * SECURITY UPDATE: denial of service via XML expansion
    - debian/patches/CVE-2014-8080.patch: limit expansions in
      lib/rexml/entity.rb, added tests to test/rexml/test_document.rb,
      test/rexml/test_entity.rb.
    - CVE-2014-8080
 -- Marc Deslauriers <email address hidden>   Tue, 04 Nov 2014 14:49:17 -0500
Superseded in utopic-updates on 2014-11-20
Superseded in utopic-security on 2014-11-20
ruby2.0 (2.0.0.484+really457-3ubuntu1.1) utopic-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overrun in encodes
    function
    - debian/patches/CVE-2014x-4975.patch: properly calculate buffer size
      in pack.c, added test to test/ruby/test_pack.rb.
    - CVE-2014-4975
  * SECURITY UPDATE: denial of service via XML expansion
    - debian/patches/CVE-2014-8080.patch: limit expansions in
      lib/rexml/entity.rb, added tests to test/rexml/test_document.rb,
      test/rexml/test_entity.rb.
    - CVE-2014-8080
 -- Marc Deslauriers <email address hidden>   Mon, 03 Nov 2014 09:26:25 -0500
Superseded in trusty-updates on 2014-11-20
Superseded in trusty-security on 2014-11-20
ruby2.0 (2.0.0.484-1ubuntu2.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overrun in encodes
    function
    - debian/patches/CVE-2014x-4975.patch: properly calculate buffer size
      in pack.c, added test to test/ruby/test_pack.rb.
    - CVE-2014-4975
  * SECURITY UPDATE: denial of service via XML expansion
    - debian/patches/CVE-2014-8080.patch: limit expansions in
      lib/rexml/entity.rb, added tests to test/rexml/test_document.rb,
      test/rexml/test_entity.rb.
    - CVE-2014-8080
 -- Marc Deslauriers <email address hidden>   Mon, 03 Nov 2014 09:57:14 -0500
Superseded in vivid-release on 2014-11-05
Obsolete in utopic-release on 2016-11-03
Deleted in utopic-proposed on 2016-11-03 (Reason: moved to release)
ruby2.0 (2.0.0.484+really457-3ubuntu1) utopic; urgency=medium

  * Merge with Debian; remaining changes:
    - Upstream doesn't support Tcl/Tk 8.6, stop building the extension.

Superseded in utopic-release on 2014-04-29
Deleted in utopic-proposed on 2014-04-30 (Reason: moved to release)
ruby2.0 (2.0.0.484-1ubuntu3) utopic; urgency=medium

  * Upstream doesn't support Tcl/Tk 8.6, stop building the extension.
 -- Matthias Klose <email address hidden>   Mon, 28 Apr 2014 14:30:30 +0200
Superseded in utopic-release on 2014-04-28
Published in trusty-release on 2014-03-19
Deleted in trusty-proposed (Reason: moved to release)
ruby2.0 (2.0.0.484-1ubuntu2) trusty; urgency=medium

  * Fix build failure with readline-6.3.
 -- Matthias Klose <email address hidden>   Wed, 19 Mar 2014 14:30:49 +0100
Superseded in trusty-release on 2014-03-19
Deleted in trusty-proposed on 2014-03-20 (Reason: moved to release)
ruby2.0 (2.0.0.484-1ubuntu1) trusty; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Build-depend on Tcl/Tk 8.5, ruby is not yet ready for Tcl/Tk 8.6.

Superseded in trusty-release on 2014-02-22
Deleted in trusty-proposed on 2014-02-23 (Reason: moved to release)
ruby2.0 (2.0.0.353-1ubuntu1) trusty; urgency=medium

  * Build-depend on tcl8.5-dev and tk8.5-dev, ruby is not yet ready
    for Tcl/Tk 8.6.
 -- Matthias Klose <email address hidden>   Sat, 04 Jan 2014 17:08:15 +0100
Superseded in trusty-proposed on 2014-01-04
ruby2.0 (2.0.0.353-1build1) trusty; urgency=medium

  * No-change rebuild for Tcl/Tk 8.6.
 -- Matthias Klose <email address hidden>   Thu, 02 Jan 2014 20:21:25 +0100
Superseded in trusty-release on 2014-01-15
Deleted in trusty-proposed on 2014-01-16 (Reason: moved to release)
ruby2.0 (2.0.0.353-1) unstable; urgency=low


  * New upstream release
    + Includes fix for Heap Overflow in Floating Point Parsing (CVE-2013-4164)
      Closes: #730190

 -- Antonio Terceiro <email address hidden>  Mon, 25 Nov 2013 22:34:25 -0300
Superseded in trusty-release on 2013-12-04
Deleted in trusty-proposed on 2013-12-05 (Reason: moved to release)
ruby2.0 (2.0.0.343-1ubuntu1) trusty; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    heap overflow in floating point parsing.
    - debian/patches/CVE-2013-4164.patch: check lengths in util.c, added
      test to test/ruby/test_float.rb.
    - CVE-2013-4164
 -- Marc Deslauriers <email address hidden>   Mon, 25 Nov 2013 14:58:07 -0500
Superseded in trusty-release on 2013-11-29
Deleted in trusty-proposed on 2013-11-30 (Reason: moved to release)
ruby2.0 (2.0.0.343-1) unstable; urgency=low


  * New upstream version (snapshot from 2.0 maintainance branch).
  * fix typo in ruby2.0-tcltk description
  * Backported upstream patches from Tanaka Akira to fix FTBFS on:
    - GNU/kFreeBSD (Closes: #726095)
    - x32 (Closes: #727010)
  * Make date for io-console gemspec predictable (Closes: #724974)
  * libruby2.0 now depends on libjs-jquery because of rdoc (Closes: #725056)
  * Backport upstream patch by Nobuyoshi Nakada to fix include directory in
    `pkg-config --cflags` (Closes: #725166)
  * Document missing licenses in debian/copyright (Closes: #723161)
  * debian/libruby2.0.symbols: add new symbol rb_exec_recursive_paired_outer
    (not in the public API though)

 -- Antonio Terceiro <email address hidden>  Tue, 05 Nov 2013 20:33:23 -0300

Available diffs

Superseded in trusty-release on 2013-11-07
Superseded in trusty-release on 2013-10-21
Obsolete in saucy-release on 2015-04-24
Deleted in saucy-proposed on 2015-04-28 (Reason: moved to release)
ruby2.0 (2.0.0.299-2) unstable; urgency=low


  * Split Ruby/Tk out of libruby2.0 into its own package, ruby2.0-tcltk. This
    will reduce the footprint of a basic Ruby installation.

 -- Antonio Terceiro <email address hidden>  Sun, 15 Sep 2013 22:09:57 -0300
124 of 24 results