-
ruby1.8 (1.8.6.36-1ubuntu3.3) gutsy-security; urgency=low
* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
module (LP: #261459)
- debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
rexml/entity.rb to use expansion limits
- CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
service (LP: #246818)
- debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
check argument length
- CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
socket
- debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
managed memory and check for allocation failures
- CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
- debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
properly check paths ending with '.'
- CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
requests (separate vulnerability from CVE-2008-1447)
- debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
SecureRandom for transaction id and source port
- CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
- debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
propogate taint and check taintness of DLPtrData
- CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
- debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
and syslog.c, check for secure level 3 or higher in eval.c and make
sure PROGRAM_NAME can't be modified
- CVE-2008-3655
-- Jamie Strandboge <email address hidden> Thu, 09 Oct 2008 08:47:35 -0500
-
ruby1.8 (1.8.6.36-1ubuntu3.2) gutsy-security; urgency=low
* SECURITY UPDATE: denial of service or arbitrary code execution via
integer overflows and memory corruption
* debian/patches/102_CVE-2008-2662+2663+2664+2725+2726.dpatch: update
array.c to properly validate the size of an array. Update string.c and
sprintf.c for proper bounds checking
* References:
CVE-2008-2662
CVE-2008-2663
CVE-2008-2664
CVE-2008-2725
CVE-2008-2726
LP: #241657
-- Jamie Strandboge <email address hidden> Wed, 25 Jun 2008 15:31:40 -0400
-
ruby1.8 (1.8.6.36-1ubuntu3.1) gutsy-security; urgency=low
* SECURITY UPDATE: SSL connections did not check commonName early
enough, possibly allowing sensitive information to be exposed.
* debian/patches/100_CVE-2007-5162.dpatch: upstream fixes, from
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
* debian/patches/101_CVE-2007-5770.dpatch: upstream fixes, from
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
* References:
CVE-2007-5162 CVE-2007-5770 (LP: #149616)
-- Stephan Hermann <email address hidden> Tue, 13 Nov 2007 19:42:37 +0100
-
ruby1.8 (1.8.6.36-1ubuntu3) gutsy; urgency=low
* Trigger rebuild for hppa
-- LaMont Jones <email address hidden> Thu, 04 Oct 2007 12:23:01 -0600
-
ruby1.8 (1.8.6.36-1ubuntu2) gutsy; urgency=low
* Fix build failure on sparc N1 (Debian #393817).
* Add -g to CFLAGS.
-- Matthias Klose <email address hidden> Tue, 04 Sep 2007 12:51:53 +0000
-
ruby1.8 (1.8.6.36-1ubuntu1) gutsy; urgency=low
* Merge with Debian; remaining changes:
- Adjust configure options for lpia.
ruby1.8 (1.8.6.36-1) unstable; urgency=low
* new upstream release 1.8.6-p36.
- Fix a bug in Etc::getgrgid() always returning the (real) group entry of
the running process. [ruby-dev:30586] (closes: #426200)
* applied patches:
- debian/patches/804_strcut_clone_leaks_memory.dpatch: Struct#clone leaks
memory. [ruby-dev:31168]
- applied debian/patches/805_ruby-bugs-11507.dpatch:
ConditionVariable#wait may raise "not owner" exceptions.
- applied debian/patches/806_c++_compile_error.dpatch: fixed compile
errors on C++ extension libraries.
- applied debian/patches/807_sync_try_lock_always_fail.dpatch:
Sync#try_lock always fails due to wrong variable name. (closes: 429686)
Thanks: Dmitry Borodaenko
* debian/rules: fixed wrong arch_name for arm-linux-gnueabi.
(closes: #432863)
* debian/control: ruby1.8-elisp depends on "emacs | emacsen".
(closes: #433984)
-- Matthias Klose <email address hidden> Thu, 09 Aug 2007 10:42:29 +0200
-
ruby1.8 (1.8.6-2ubuntu1) gutsy; urgency=low
* Adjust configure options for lpia.
* Set Ubuntu maintainer address.
-- Matthias Klose <email address hidden> Tue, 07 Aug 2007 17:40:06 +0000
-
ruby1.8 (1.8.6-2) unstable; urgency=low
* rdoc1.8 should accept graphviz 2.x. (closes: #425000)
- applied the patch from Paul van Tilburg. thanks.
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 18 Jun 2007 17:05:04 +0100
-
ruby1.8 (1.8.6-1) unstable; urgency=low
* new upstream version, 1.8.6.
* libruby1.8 conflicts with libopenssl-ruby1.8 (< 1.8.6) (closes: #410018)
* changed packaging style to cdbs from dbs.
-- Matthias Klose <email address hidden> Fri, 18 May 2007 11:10:42 +0100
-
ruby1.8 (1.8.5-4ubuntu2) feisty; urgency=low
* Rebuild for changes in the amd64 toolchain.
* Set Ubuntu maintainer address.
-- Matthias Klose <email address hidden> Mon, 5 Mar 2007 01:26:02 +0000