-
ruby2.3 (2.3.1-2~ubuntu16.04.16) xenial-security; urgency=medium
* SECURITY UPDATE: XML round-trip vulnerability in REXML
- debian/patches/CVE-2021-28965.patch: update to REXML 3.1.7.4.
- CVE-2021-28965
-- Marc Deslauriers <email address hidden> Thu, 15 Apr 2021 10:39:41 -0400
-
ruby2.3 (2.3.1-2~ubuntu16.04.15) xenial-security; urgency=medium
* SECURITY UPDATE: Unsafe Object Creation Vulnerability in JSON gem
- debian/patches/CVE-2020-10663.patch: set json->create_additions to 0
in ext/json/parser/parser.c, ext/json/parser/parser.rl.
- CVE-2020-10663
* SECURITY UPDATE: HTTP Request Smuggling attack in WEBrick
- debian/patches/CVE-2020-25613.patch: make it more strict to interpret
some headers in lib/webrick/httprequest.rb.
- CVE-2020-25613
-- Marc Deslauriers <email address hidden> Tue, 16 Mar 2021 11:03:56 -0400
-
ruby2.3 (2.3.1-2~ubuntu16.04.14) xenial-security; urgency=medium
* SECURITY UPDATE: NULL injection vulnerability
- debian/patches/CVE-2019-15845.patch: ensure that
pattern does not contain a NULL character in dir.c,
test/ruby/test_fnmatch.rb.
- CVE-2019-15845
* SECURITY UPDATE: Denial of service vulnerability
- debian/patches/CVE-2019-16201.patch: fix in
lib/webrick/httpauth/digestauth.rb,
test/webrick/test_httpauth.rb.
- CVE-2019-16201.patch
* SECURITY UPDATE: HTTP response splitting in WEBrick
- debian/patches/CVE-2019-16254.patch: prevent response
splitting and header injection in lib/webrick/httpresponse.rb,
test/webrick/test_httpresponse.rb.
- CVE-2019-16254
* SECURITY UPDATE: Code injection
- debian/patches/CVE-2019-16255.patch: prevent unknown command
in lib/shell/command-processor.rb, test/shell/test_command_processor.rb.
- CVE-2019-16255
-- <email address hidden> (Leonidas S. Barbosa) Mon, 25 Nov 2019 12:24:34 -0300
-
ruby2.3 (2.3.1-2~ubuntu16.04.13) xenial; urgency=medium
* d/p/do-not-wakeup-inside-child-processes.patch: avoid child ruby processes
being stuck in a busy loop (LP: #1834072)
-- Andreas Hasenack <email address hidden> Tue, 25 Jun 2019 11:52:54 -0300
-
ruby2.3 (2.3.1-2~16.04.12) xenial-security; urgency=medium
* SECURITY UPDATE: Delete directory using symlink when decompressing tar,
Escape sequence injection vulnerability in gem owner, Escape sequence
injection vulnerability in API response handling, Arbitrary code exec,
Escape sequence injection vulnerability in errors
- debian/patches/CVE-2019-8320-25.patch: fix in
lib/rubygems/command_manager.rb,
lib/rubygems/commands/owner_command.rb,
lib/rubygems/gemcutter_utilities.rb,
lib/rubygems/installer.rb,
lib/rubygems/package.rb,
test/rubygems/test_gem_package.rb,
test/rubygems/test_gem_installer.rb,
test/rubygems/test_gem_text.rb.
- CVE-2019-8320
- CVE-2019-8321
- CVE-2019-8322
- CVE-2019-8323
- CVE-2019-8324
- CVE-2019-8325
* Fixing expired certification that causes tests to fail
- debian/patches/fixing_expired_SSL_certificates.patch: fix in
test/net/imap/cacert.pen, test/net/imap/server.crt,
test/net/imap/server.key.
* Added lisbon_tz test to excluded tests
- debian/patches/0001-excluding_lisbon_tz_test.patch:
test/excludes/TestTimeTZ.rb.
* Fixing symlink expanding issue that makes some tests and gems fails
- debian/patches/fixing_symlink_expanding_issue.patch: fix in
lib/rubygems/package.rb, test/rubygems/test_gem_package.rb.
-- <email address hidden> (Leonidas S. Barbosa) Wed, 03 Apr 2019 12:30:36 -0300
-
ruby2.3 (2.3.1-2~16.04.11) xenial-security; urgency=medium
* SECURITY UPDATE: Name equality check
- debian/patches/CVE-2018-16395.patch: fix in
ext/openssl/ossl_x509name.c.
- CVE-2018-16395
* SECURITY UPDATE: Tainted flags not propagted
- debian/patches/CVE-2018-16396.patch: fix in
pack.c, test/ruby/test_pack.rb.
- CVE-2018-16396
* fixing tz test issue
- debian/patches/fixing_tz_tests.patch
-- <email address hidden> (Leonidas S. Barbosa) Tue, 30 Oct 2018 10:59:03 -0300
-
ruby2.3 (2.3.1-2~16.04.10) xenial-security; urgency=medium
* SECURITY UPDATE: Malicious format string - buffer overrun
- debian/patches/CVE-2017-0898.patch: fix in sprintf.c,
test/ruby/test_sprintf.rb.
- CVE-2017-0898
* SECURITY UPDATE: Response splitting attack
- debian/patches/CVE-2017-17742.patch: fix in webrick/httpresponse.rb,
test/webrick/test_httpresponse.rb.
- CVE-2017-17742
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-8777*.patch: fix in lib/webrick/httpresponse.rb,
lib/webrick/httpservlet/filehandler.rb,
test/webrick/test_filehandler.rb, test/webrick/test_httpresponse.rb.
- CVE-2018-8777
-- <email address hidden> (Leonidas S. Barbosa) Fri, 08 Jun 2018 11:24:57 -0300
-
ruby2.3 (2.3.1-2~16.04.9) xenial-security; urgency=medium
* SECURITY UPDATE: Directory traversal vulnerability
- debian/patches/CVE-2018-6914.patch: fix in lib/tmpdir.rb,
test/test_tempfile.rb.
- CVE-2018-6914
* SECURITY UPDATE: Buffer under-read
- debian/patches/CVE-2018-8778.patch: fix in pack.c,
test/ruby/test_pack.rb.
- CVE-2018-8778
* SECURITY UPDATE: Unintended socket
- debian/patches/CVE-2018-8779.patch: fix in ext/socket/unixsocket.c,
test/socket/test_unix.rb.
- CVE-2018-8779
* SECURITY UPDATE: Directory traversal
- debian/patches/CVE-2018-8780.patch: fix in dir.c,
test/ruby/test_dir.rb.
- CVE-2018-8780
-- <email address hidden> (Leonidas S. Barbosa) Fri, 13 Apr 2018 11:38:20 -0300
-
ruby2.3 (2.3.1-2~16.04.7) xenial-security; urgency=medium
* SECURITY UPDATE: Directory traversal
- debian/patches/CVE-2018-1000073.patch: fix in
lib/rubygems/package.rb.
- CVE-2018-1000073
* SECURITY UPDATE: Deserialization untrusted data
- debian/patches/CVE-2018-1000074.patch fix in
lib/rubygems/commands/owner_command.rb,
test/rubygems/test_gem_commands_owner_command.rb.
- CVE-2018-1000074
* SECURITY UPDATE: Infinite loop
- debian/patches/CVE-2018-1000075.patch: fix in
lib/rubygems/package/tar_header.rb,
test/rubygems/test_gem_package_tar_header.rb.
- CVE-2018-1000075
* SECURITY UPDATE: Improper verification of crypto
signature
- debian/patches/CVE-2018-1000076.patch: fix in
lib/rubygems/package.rb, lib/rubygems/pacage/tar_writer.rb,
test/rubygems/test_gem_pacakge.rg
- CVE-2018-1000076
* SECURITY UPDATE: Validation vulnerability
- debian/patches/CVE-2018-1000077.patch: fix in
lib/rubygems/specification.rb,
test/rubygems/test_gem_specification.rb.
- CVE-2018-1000077
* SECURITY UPDATE: Cross site scripting
- debian/patches/CVE-2018-1000078.patch: fix in
lib/rubygems/server.rb.
- CVE-2018-1000078
* SECURITY UPDATE: Directory traversal
- debian/patches/CVE-2018-1000079.patch: fix in
lib/rubygems/package.rb.
- CVE-2018-1000079
-- <email address hidden> (Leonidas S. Barbosa) Wed, 04 Apr 2018 12:16:06 -0300
-
ruby2.3 (2.3.1-2~16.04.6) xenial-security; urgency=medium
* SECURITY UPDATE: fails to validade specification names
- debian/patches/CVE-2017-0901-0902.patch: fix this.
- CVE-2017-0901
* SECURITY UPDATE: vulnerable to a DNS hijacking
- debian/patches/CVE-2017-0901-0902.patch fix this.
- CVE-2017-0902
* SECURITY UPDATE: possible remote code execution
- debian/patches/CVE-2017-0903.patch: whitelist classes
and symbols that are in Gem spec YAML in lib/rubygems.rb,
lib/rubygens/config_file.rb, lib/rubygems/package.rb,
lib/rubygems/package/old.rb, lib/rubygems/safe_yaml.rb,
lib/rubygems/specification.rb.
- CVE-2017-0903
-- <email address hidden> (Leonidas S. Barbosa) Tue, 30 Jan 2018 14:54:19 -0300
-
ruby2.3 (2.3.1-2~16.04.5) xenial-security; urgency=medium
* SECURITY UPDATE: possible command injection attacks through
kernel#open
- debian/patches/CVE-2017-17790.patch: fix uses of Kernel#open in
lib/resolv.rb.
- CVE-2017-17790
* SECURITY UPDATE: possibly execute arbitrary commands via a crafted user name
- debian/patches/CVE-2017-10784.patch: sanitize any type of logs in
lib/webrick/httpstatus.rb, lib/webrick/log.rb and test/webrick/test_httpauth.rb.
- CVE-2017-10784
* SECURITY UPDATE: denial of service via a crafted string
- debian/patches/CVE-2017-14033.patch: fix in ext/openssl/ossl_asn1.c.
- CVE-2017-14033
* SECURITY UPDATE: Arbitrary memory expose during a JSON.generate call
- debian/patches/CVE-2017-14064.patch: fix this in
ext/json/ext/generator/generator.c and ext/json/ext/generator/generator.h.
-- <email address hidden> (Leonidas S. Barbosa) Tue, 09 Jan 2018 11:43:22 -0300
-
ruby2.3 (2.3.1-2~16.04.4) xenial-security; urgency=medium
* SECURITY UPDATE: command injection through Net::FTP
- debian/patches/CVE-2017-17405.patch: fix command injection
in lib/net/ftp.rb, test/net/ftp/test_ftp.rb.
- CVE-2017-17405
* Exclude some tests that fails in launchpad:
- debian/patches/0090-Exclude-tests-that-fail-on-Ubuntu-builds.patch
-- <email address hidden> (Leonidas S. Barbosa) Mon, 18 Dec 2017 16:25:28 -0300
-
ruby2.3 (2.3.1-2~16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: SMTP command injection
- debian/patches/CVE-2015-9096.patch: don't allow bare CR or LF in
lib/net/smtp.rb, added test to test/net/smtp/test_smtp.rb.
- CVE-2015-9096
* SECURITY UPDATE: use of same initialization vector (IV)
- debian/patches/CVE-2016-7798.patch: don't set dummy key in
ext/openssl/ossl_cipher.c, added test to test/openssl/test_cipher.rb.
- CVE-2016-7798
* debian/rules: enable full test suite
* debian/control: added netbase to Build-Depends
* debian/patches/fix_tests.patch: fix tests that do not work correctly.
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2017 11:05:02 -0400
-
ruby2.3 (2.3.1-2~16.04) xenial-proposed; urgency=medium
* SRU: LP: #1589271, backport 2.3.1 to 16.04 LTS.
* Fixes tests on s390x. LP: #1556783.
ruby2.3 (2.3.1-2) unstable; urgency=medium
[ Antonio Terceiro ]
* debian/tests/known-failures.txt: remove test that now passes
(test/rinda/test_rinda.rb)
* debian/rules: enable bindnow hardening option (Closes: #822288)
* debian/copyright: update and simplify copyright annotations for Unicode
files under enc/trans/JIS/
* Bump Standards-Version to 3.9.8 (no changes needed)
[ Christian Hofstaedtler ]
* Stop providing ruby-interpreter. Only packages providing
/usr/bin/ruby can be a credible provider of ruby-interpreter.
(Closes: #822072)
* Raise priority to "optional", now that ruby2.2 is gone, although
the value of this change is unclear. (Closes: #822911)
* Apply patch from Reiner Herrmann <email address hidden> to help with
reproducibility of mkmf.rb using packages. (Closes: #825569)
ruby2.3 (2.3.1-1) unstable; urgency=medium
* Call make install-doc, install-nodoc with V=1, for diagnosing
build failures.
* New upstream TEENY version.
-- Matthias Klose <email address hidden> Sun, 05 Jun 2016 17:50:45 +0200
-
ruby2.3 (2.3.0-5ubuntu1) xenial; urgency=medium
* Merge with Debian; remaining changes:
- Don't run tests on s390x, hanging on the buildds.
ruby2.3 (2.3.0-5) unstable; urgency=medium
* Set gzip embedded mtime field to fixed value for rdoc-generated
compressed javascript data. Helps with reproducibility of rdoc-using
packages.
* Build tcltk extension for Tcl/Tk 8.6.
* Apply patch from upstream to fix crash in Proc binding.
(ruby-core: 74100, trunk r54128, bug #12137). (Closes: #816161)
-- Matthias Klose <email address hidden> Tue, 22 Mar 2016 16:21:08 +0100
-
ruby2.3 (2.3.0-5) unstable; urgency=medium
* Set gzip embedded mtime field to fixed value for rdoc-generated
compressed javascript data. Helps with reproducibility of rdoc-using
packages.
* Build tcltk extension for Tcl/Tk 8.6.
* Apply patch from upstream to fix crash in Proc binding.
(ruby-core: 74100, trunk r54128, bug #12137). (Closes: #816161)
-- Christian Hofstaedtler <email address hidden> Wed, 16 Mar 2016 23:36:12 +0000
-
ruby2.3 (2.3.0-4ubuntu3) xenial; urgency=medium
* Build using Tcl/Tk 8.6.
-- Matthias Klose <email address hidden> Mon, 14 Mar 2016 11:25:22 +0100
-
ruby2.3 (2.3.0-4ubuntu2) xenial; urgency=medium
* Don't run tests on s390x, hanging on the buildds.
* Ignore test results on i386.
-- Matthias Klose <email address hidden> Mon, 14 Mar 2016 09:02:50 +0100
-
ruby2.3 (2.3.0-4ubuntu1) xenial; urgency=medium
* Ignore test results on s390x.
-- Matthias Klose <email address hidden> Mon, 14 Mar 2016 09:02:50 +0100
-
ruby2.3 (2.3.0-4) unstable; urgency=medium
* Apply patch from upstream to fix deserializing OpenStruct via Psych,
(ruby-core: 72501, trunk r53366). (Closes: #816358)
-- Christian Hofstaedtler <email address hidden> Tue, 01 Mar 2016 22:41:19 +0100
-
ruby2.3 (2.3.0-2) unstable; urgency=medium
* debian/libruby2.3.symbols: update with new symbols introduced right before
the final 2.3.0 release.
* libruby2.3: add dependencies on rake, ruby-did-you-mean and
ruby-net-telnet
-- Antonio Terceiro <email address hidden> Sat, 30 Jan 2016 09:20:31 -0200
-
ruby2.3 (2.3.0-1) unstable; urgency=medium
[ Antonio Terceiro ]
* Ruby 2.3
* debian/tests/bundled-gems: check if all libraries that are supposed to be
bundled are present, with a version greater than or equal to the one
specified in gems/bundled_gems
* debian/tests/run-all: filter failures against list of known failures. Pass
if only the tests listed in debian/tests/known-failures.txt fail, fail
otherwise. This will help catch regressions.
* debian/copyright: update wrt new files in the distribution
[ Christian Hofstaedtler ]
* autopkgtest: depend on all packages so we actually have header files
installed.
-- Antonio Terceiro <email address hidden> Mon, 28 Dec 2015 09:17:47 -0300
