Publishing details
Changelog
ruby1.9.1 (1.9.3.484-2ubuntu1.2~ubuntu12.04.1~ppa1) precise; urgency=low
* No-change backport to precise
ruby1.9.1 (1.9.3.484-2ubuntu1.2) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via XML expansion
- debian/patches/CVE-2014-8090.patch: add REXML::Document#document
to lib/rexml/document.rb, add warning to lib/rexml/entity.rb, added
tests to test/rexml/test_document.rb.
- CVE-2014-8090
ruby1.9.1 (1.9.3.484-2ubuntu1.1) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via buffer overrun in encodes
function
- debian/patches/CVE-2014-4975.patch: properly calculate buffer size
in pack.c.
- CVE-2014-4975
* SECURITY UPDATE: denial of service via XML expansion
- debian/patches/CVE-2014-8080.patch: limit expansions in
lib/rexml/entity.rb, added tests to test/rexml/test_document.rb,
test/rexml/test_entity.rb.
- CVE-2014-8080
ruby1.9.1 (1.9.3.484-2ubuntu1) trusty; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
- debian/patches/20131218-stack-size.patch: Increase thread stack
size on 64-bit platforms to prevent testsuite failure on ppc64el.
- Build-depend on Tcl/Tk 8.5, ruby is not yet ready for Tcl/Tk 8.6.
ruby1.9.1 (1.9.3.484-2) unstable; urgency=medium
* new strategy for Ruby version transitions:
- ruby1.9.1 depends on ruby
- libruby1.9.1 depends on ruby1.9.1
* Drop alternatives entries.
ruby1.9.1 (1.9.3.484-1ubuntu2) trusty; urgency=medium
* Build-depend on tcl8.5-dev and tk8.5-dev, ruby is not yet ready
for Tcl/Tk 8.6.
ruby1.9.1 (1.9.3.484-1ubuntu1) trusty; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
* Drop debian/patches/CVE-2013-4164.patch; applied upstream.
* debian/patches/20131218-stack-size.patch: Increase thread stack
size on 64-bit platforms to prevent testsuite failure on ppc64el.
ruby1.9.1 (1.9.3.484-1) unstable; urgency=low
* New upstream release
+ Includes fix for Heap Overflow in Floating Point Parsing (CVE-2013-4164)
Closes: #730178
+ drop debian/patches/2013-09-08-restore-rb_f_lambda-declaration.patch,
already applied upstream.
ruby1.9.1 (1.9.3.448-1ubuntu2) trusty; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
heap overflow in floating point parsing.
- debian/patches/CVE-2013-4164.patch: check lengths in util.c, added
test to test/ruby/test_float.rb.
- CVE-2013-4164
ruby1.9.1 (1.9.3.448-1ubuntu1) trusty; urgency=low
* Merge from Debian. Remaining changes:
- debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
ruby1.9.1 (1.9.3.448-1) unstable; urgency=low
* New upstream release
+ Includes fix for potential thread deadlock after fork()
Closes: #698208
+ Includes fix for test error originally introduced by patch for
CVE-2012-4522
Closes: #701142
+ Includes fix for CVE-2012-4466 and CVE-2012-4464
Closes: #701144
+ Includes fix for incorrect setting of FD_CLOEXEC with F_SETFL instead of
F_SETFD
Closes: #696281
+ debian/patches/2013-09-08-restore-rb_f_lambda-declaration.patch:
backport upstream patch to reintroduce the declaration of rb_f_lamdba
for backwards compatibility.
+ Dropped patches already applied upstream; refreshed all others.
* Review of remaining patches in debian/patches/series:
+ 909_update_lib_README.diff: obsolete and ultimately wrong. Removed
+ 903_skip_base_ruby_check.diff: can't see a reason why this would be
needed. Removed.
* move logic to skip DRB tests inside debian/run-test-suites.bash
* Acknowledge security-related NMU's by Salvatore Bonaccorso.
+ Both CVE-2013-1821.patch and CVE-2013-4073.patch already applied in this
upstream version, not included anymore
* debian/rules: acknowledge reality, put myself as maintainer.
* debian/rules: dropped --with-baseruby=/usr/bin/ruby1.8. This way the build
will just use `ruby` for bootstrapping. Also, build-depend on ruby |
ruby-interpreter instead of ruby1.8; this way ruby1.9.1 can be
bootstrapped with any Ruby interpreter, and we can leave ruby1.8 Rest In
Peace.
* debian/rules: applied patch from Timothy Pearson to install pkg-config
file.
Closes: #688002
* debian/libruby1.9.1.symbols: removed debian revision from version numbers
for symbols introduced in 1.9.3.194
* debian/control: bump Standards-Version to 3.9.4. No changes needed.
* debian/control: remove -1 from build dependency on coreutils
ruby1.9.1 (1.9.3.194-8.2) unstable; urgency=high
* Non-maintainer upload.
* Add CVE-2013-4073.patch patch.
CVE-2013-4073: Fix hostname check bypassing vulnerability in SSL client.
(Closes: #714543)
ruby1.9.1 (1.9.3.194-8.1ubuntu2) saucy; urgency=low
* SECURITY UPDATE: incorrect ssl hostname verification
- debian/patches/CVE-2013-4073.patch: fix hostname check and regression
in ext/openssl/lib/openssl/ssl-internal.rb, added test to
test/openssl/test_ssl.rb.
- CVE-2013-4073
ruby1.9.1 (1.9.3.194-8.1ubuntu1) raring; urgency=low
* Merge from Debian testing. Remaining changes:
- debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
- debian/patches/CVE-2012-4522.patch: Adjust patch to fix build test
error. Use the version of the fix from upstream's 1.9.3 tree to fix
the NoMethodError for assert_file_not, which doesn't exist in 1.9.3.
Adjust the Origin patch tag accordingly.
ruby1.9.1 (1.9.3.194-8.1) unstable; urgency=high
* Non-maintainer upload.
* Add CVE-2013-1821.patch patch.
CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML. When
reading text nodes from an XML document, the REXML parser could be
coerced into allocating extremely large string objects which could
consume all available memory on the system. (Closes: #702525)
ruby1.9.1 (1.9.3.194-7ubuntu1) raring; urgency=low
* Merge from Debian testing (LP: #1131493). Remaining changes:
- debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
* Changes dropped:
- debian/patches/20121016-cve_2012_4522.patch: Debian is carrying a patch
for this issue.
- debian/patches/20121011-cve_2012_4464-cve_2012_4466.patch: Debian is
carrying a patch for this issue, but the patch is incorrectly named
20120927-cve_2011_1005.patch. I'll work with Debian to change the patch
name, but there's no need in carrying a delta because of this. To be
clear, the Ubuntu ruby1.9.1 package is patched for CVE-2012-4464 and
CVE-2012-4466, despite the incorrect patch name.
* debian/patches/CVE-2012-4522.patch: Adjust patch to fix build test error.
Use the version of the fix from upstream's 1.9.3 tree to fix the
NoMethodError for assert_file_not, which doesn't exist in 1.9.3. Adjust
the Origin patch tag accordingly.
ruby1.9.1 (1.9.3.194-5) unstable; urgency=high
* Disable running the test suite during the build on sparc again. Keeping
urgency=high because the previous release, which contains a security bug
fix, did not reach testing yet because of a segfault when running tests in
the sparc buildd.
ruby1.9.1 (1.9.3.194-4) unstable; urgency=high
[ James Healy ]
* debian/patches/CVE-2012-5371.patch: avoid DOS vulnerability in hash
implementation, this fixes CVE-2012-5371. (Closes: #693024).
ruby1.9.1 (1.9.3.194-3) unstable; urgency=high
* debian/patches/CVE-2012-4522.patch: avoid vulnerability with strings
containing NUL bytes passed to file creation methods. This fixes
CVE-2012-4522 (Closes: #690670).
ruby1.9.1 (1.9.3.194-2) unstable; urgency=low
* debian/patches/20120927-cve_2011_1005.patch: patch sent by upstream;
fixes CVE-2011-1005 which was thought of as not affecting the Ruby 1.9.x
series (Closes: #689075). Thanks to Tyler Hicks <email address hidden>
for reporting the issue.
ruby1.9.1 (1.9.3.194-1ubuntu1.2) quantal-security; urgency=low
* SECURITY UPDATE: Safe level bypass
- debian/patches/20121011-cve_2012_4464-cve_2012_4466.patch: Remove
incorrect string taint in exception handling methods. Based on upstream
patch.
- CVE-2012-4464
- CVE-2012-4466
* SECURITY UPDATE: Missing input sanitization of file paths
- debian/patches/20121016-cve_2012_4522.patch: NUL characters are not
valid filename characters, so ensure that Ruby strings used for file
paths do not contain NUL characters. Based on upstream patch.
- CVE-2012-4522
* debian/patches/20120927-cve_2011_1005.patch: Drop since ruby1.9.x is
technically not affected by CVE-2011-1005. CVE-2012-4464 is the id
assigned to the vulnerability in the ruby1.9.x branch.
ruby1.9.1 (1.9.3.194-1ubuntu1) quantal; urgency=low
* SECURITY UPDATE: Safe level bypass
- debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string
taint in exception handling methods. Based on upstream patch.
- CVE-2011-1005
* Make the RubyGems fetcher use distro-provided ca-certificates
(LP: #1057926)
- debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
ruby1.9.1 (1.9.3.194-1) unstable; urgency=low
[ Lucas Nussbaum ]
* Add hurd-path-max.diff. Fixes FTBFS on Hurd. (Closes: #648055)
[ Daigo Moriwaki ]
* Removed debian/patches/debian/patches/sparc-continuations.diff,
which the upstream has applied.
* debian/rules:
- Bumped up tcltk_ver to 8.5.
- Used chrpath for tcltklib.so to fix a lintian error,
binary-or-shlib-defines-rpath.
* debian/control:
- Suggests ruby-switch. (Closes: #654312)
- Build-Depends: chrpath.
* debian/libruby1.9.1.symbols: Added a new symbol for
rb_str_modify_expand@Base.
* debian/run-test-suites.bash:
- Corrected options for test-all.
- Enabled timeout to allow hang tests to be aborted.
[ James Healy ]
* New upstream release: 1.9.3p194 (Closes: #669582)
+ This release includes a fix for CVE-2011-0188 (Closes: #628451)
+ This release also does not segfault when running the test suite under
amd64 (Closes: #674347)
* Enable hardened build flags (Closes: #667964)
* debian/control:
- depend on specific version on coreutils
- update policy version (no changes)
[ Antonio Terceiro ]
* debian/ruby1.9.1.postinst:
+ bump alternatives priority for `ruby` to 51 so that Ruby 1.9 has a
higher priority than Ruby 1.8 (50).
+ bump alternatives priority for `gem` to 181 so that the Rubygems
provided by Ruby 1.9 has priority over the one provided by the rubygems
package.
* debian/control: added myself to Uploaders:
* debian/libruby1.9.1.symbols: update with new symbols added in 1.9.3p194
upstream release.
* debian/manpages/*: fix references to command names with s/1.9/1.9.1/
* debian/rules: skip running DRB tests, since they seem to make the build
hang. This should close #647296, but let's way and see. Also, with this do
not need to timeout the test suite anymore.
ruby1.9.1 (1.9.3.0-2) unstable; urgency=low
* gcc's #635126 requiring -fno-tree-sra has been fixed.
Disable workaround in that package.
* add sparc-continuations.diff: fixes segfault during test suite on sparc.
Closes: #593138, #545345. Many thanks to Jurij Smakov.
-- yavdr <email address hidden> Sat, 10 Jan 2015 20:28:26 +0100
Builds
Package files