-
ruby1.8 (1.8.7.72-3ubuntu0.1) jaunty-security; urgency=low
* SECURITY UPDATE: certificate spoofing via invalid return value check
in OCSP_basic_verify
- debian/patches/906_security_CVE-2009-0642.dpatch: also check for -1
return code in ext/openssl/ossl_ocsp.c.
- CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
argument that represents a large number (LP: #385436)
- debian/patches/907_security_CVE-2009-1904.dpatch: handle large
numbers properly in ext/bigdecimal/bigdecimal.c.
- CVE-2009-1904
-- Marc Deslauriers <email address hidden> Wed, 15 Jul 2009 10:38:14 -0400
-
ruby1.8 (1.8.7.72-3) unstable; urgency=medium
* applied debian/patches/905_class_dup_should_copy_constants.dpatch:
- Class#dup should copy constants into the duplicated class.
(closes: #506344)
ruby1.8 (1.8.7.72-2) unstable; urgency=high
* updated 168_rexml_dos.patch:
- fixed regression of fix of REXML DoS vulnerability (CVE-2008-3790)
(ref: #502535)
-- Bhavani Shankar <email address hidden> Sun, 25 Jan 2009 01:44:59 +0000
-
ruby1.8 (1.8.7.72-1ubuntu1) jaunty; urgency=low
* debian/patches/905_short_named_constants.dpatch: Fix for short-named
constants regression (LP: #282302)
-- Jamie Strandboge <email address hidden> Mon, 27 Oct 2008 12:18:35 -0500
-
ruby1.8 (1.8.7.72-1) unstable; urgency=high
* New upstream release.
- many patches in 1.8.7.22-4 were simply backported from upstream SVN, and
are integrated into that release. We drop those:
+ 103_array_c_r17472_to_r17756.dpatch
+ 810_ruby187p22_fixes.dpatch
+ 811_multiple_vuln_200808.dpatch
- Fixes the following security issues: (Closes: #494401)
* Several vulnerabilities in safe level
* DoS vulnerability in WEBrick
* Lack of taintness check in dl
* DNS spoofing vulnerability in resolv.rb (CVE-2008-1447)
* Applied debian/patches/168_rexml_dos.dpatch:
Fix CVE-2008-3790 (REXML expansion DOS). Closes: #496808.
ruby1.8 (1.8.7.22-4) unstable; urgency=high
* applied debian/patches/811_multiple_vuln_200808:
fixed multiple vulnerabilities issued at
<http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/>
and
<http://www.ruby-lang.org/en/news/2008/08/11/ruby-1-8-7-p72-and-1-8-6-p287-released/>.
- v_1_8_7_32 - untrace_var is permitted at safe level 4
- v_1_8_7_35 - $PROGRAM_NAME may be modified at safe level 4
- v_1_8_7_33 - Insecure methods may be called at safe level 1-3
- v_1_8_7_44 - Syslog operations are permitted at safe level 4
- v_1_8_7_69 - DoS vulnerability in WEBrick
- v_1_8_7_72 - Lack of taintness check in dl
- v_1_8_7_71 - DNS spoofing vulnerability in resolv.rb
ruby1.8 (1.8.7.22-3) unstable; urgency=medium
* applied debian/patches/810_ruby187p22_fixes.dpatch:
fixed incompatibilities and degreades about Ruby 1.8.7 and 1.8.7-p22.
- v1_8_7_23: incompatibility about class methods.
- v1_8_7_46: cgi.rb shouldn't reject filenames which include spaces.
- v1_8_7_39: self concat of string issue
- v1_8_7_47: respond_to? issue
- v1_8_7_51: Float#to_i gives incorrect sign in x86_64_linux
<http://rubyforge.org/tracker/index.php?func=detail&aid=14102&group_id=426&atid=1698>
- v1_8_7_54: [ruby-core:17491] [Ruby 1.8.7 - Bug #213] (Open) Different
ERB behavior across versions
- v1_8_7_58: IPAddr.new("192.168.1.1").to_range raise an exception
[ruby-dev:35091]
- v1_8_7_59: Zlib::GzipWriter#mtime= sets wrong mtime for Time on 1.8
- v1_8_7_60: XMLRPC::Client#do_rpc should require webrick/cookie.
<http://rubyforge.org/tracker/index.php?func=detail&aid=21139&group_id=426&atid=1698>
ruby1.8 (1.8.7.22-2) unstable; urgency=low
* applied debian/patches/103_array_c_r17472_to_r17756.dpatch:
- fixed an integer overflow bug.
-- Lucas Nussbaum <email address hidden> Sat, 20 Sep 2008 02:35:37 +0100