-
ruby1.9.1 (1.9.3.194-1ubuntu1.6) quantal-security; urgency=low
* SECURITY UPDATE: safe level restriction bypass via DL and Fiddle
- debian/patches/CVE-2013-2065.patch: perform taint checking in
ext/dl/lib/dl/func.rb, ext/fiddle/function.c.
- CVE-2013-2065
* SECURITY UPDATE: denial of service and possible code execution via
heap overflow in floating point parsing.
- debian/patches/CVE-2013-4164.patch: check lengths in util.c, added
test to test/ruby/test_float.rb.
- CVE-2013-4164
-- Marc Deslauriers <email address hidden> Tue, 26 Nov 2013 12:53:19 -0500
-
ruby1.9.1 (1.9.3.194-1ubuntu1.5) quantal-security; urgency=low
* SECURITY UPDATE: incorrect ssl hostname verification
- debian/patches/CVE-2013-4073.patch: fix hostname check and regression
in ext/openssl/lib/openssl/ssl-internal.rb, added test to
test/openssl/test_ssl.rb.
- CVE-2013-4073
-- Marc Deslauriers <email address hidden> Mon, 08 Jul 2013 13:03:43 -0400
-
ruby1.9.1 (1.9.3.194-1ubuntu1.4) quantal-security; urgency=low
* SECURITY UPDATE: REXML entity expansion DoS
- debian/patches/CVE-2013-1821.patch: set an expansion limit in
lib/rexml/document.rb, lib/rexml/text.rb, added test to
test/rexml/test_entity.rb.
- Patch taken from Debian's 1.9.3.194-8.1
- CVE-2013-1821
-- Marc Deslauriers <email address hidden> Fri, 22 Mar 2013 13:49:32 -0400
-
ruby1.9.1 (1.9.3.194-1ubuntu1.3) quantal-security; urgency=low
* SECURITY UPDATE: denial of service via hash collisions
- debian/patches/20121120-cve-2012-5371.diff: replace hash
implementation in common.mk, random.c, siphash.*, string.c.
- CVE-2012-5371
* SECURITY UPDATE: xss in documents generated by rdoc
- debian/patches/CVE-2013-0256.patch: fix xss in
lib/rdoc/generator/template/darkfish/js/darkfish.js.
- CVE-2013-0256
* SECURITY UPDATE: DoS and unsafe object creation via JSON
- debian/patches/CVE-2013-0269.patch: fix JSON parsing in
ext/json/lib/json/add/core.rb, ext/json/lib/json/common.rb,
ext/json/parser/parser.c, ext/json/parser/parser.rl,
test/json/test_json.rb, test/json/test_json_addition.rb,
test/json/test_json_string_matching.rb.
- CVE-2013-0269
* Patches taken from Debian 1.9.3.194-7 package.
-- Marc Deslauriers <email address hidden> Fri, 15 Feb 2013 09:30:35 -0500
-
ruby1.9.1 (1.9.3.194-1ubuntu1.2) quantal-security; urgency=low
* SECURITY UPDATE: Safe level bypass
- debian/patches/20121011-cve_2012_4464-cve_2012_4466.patch: Remove
incorrect string taint in exception handling methods. Based on upstream
patch.
- CVE-2012-4464
- CVE-2012-4466
* SECURITY UPDATE: Missing input sanitization of file paths
- debian/patches/20121016-cve_2012_4522.patch: NUL characters are not
valid filename characters, so ensure that Ruby strings used for file
paths do not contain NUL characters. Based on upstream patch.
- CVE-2012-4522
* debian/patches/20120927-cve_2011_1005.patch: Drop since ruby1.9.x is
technically not affected by CVE-2011-1005. CVE-2012-4464 is the id
assigned to the vulnerability in the ruby1.9.x branch.
-- Tyler Hicks <email address hidden> Tue, 16 Oct 2012 09:38:57 -0700
-
ruby1.9.1 (1.9.3.194-1ubuntu1) quantal; urgency=low
* SECURITY UPDATE: Safe level bypass
- debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string
taint in exception handling methods. Based on upstream patch.
- CVE-2011-1005
* Make the RubyGems fetcher use distro-provided ca-certificates
(LP: #1057926)
- debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
-- Tyler Hicks <email address hidden> Thu, 27 Sep 2012 20:37:54 -0700
-
ruby1.9.1 (1.9.3.194-1) unstable; urgency=low
[ Lucas Nussbaum ]
* Add hurd-path-max.diff. Fixes FTBFS on Hurd. (Closes: #648055)
[ Daigo Moriwaki ]
* Removed debian/patches/debian/patches/sparc-continuations.diff,
which the upstream has applied.
* debian/rules:
- Bumped up tcltk_ver to 8.5.
- Used chrpath for tcltklib.so to fix a lintian error,
binary-or-shlib-defines-rpath.
* debian/control:
- Suggests ruby-switch. (Closes: #654312)
- Build-Depends: chrpath.
* debian/libruby1.9.1.symbols: Added a new symbol for
rb_str_modify_expand@Base.
* debian/run-test-suites.bash:
- Corrected options for test-all.
- Enabled timeout to allow hang tests to be aborted.
[ James Healy ]
* New upstream release: 1.9.3p194 (Closes: #669582)
+ This release includes a fix for CVE-2011-0188 (Closes: #628451)
+ This release also does not segfault when running the test suite under
amd64 (Closes: #674347)
* Enable hardened build flags (Closes: #667964)
* debian/control:
- depend on specific version on coreutils
- update policy version (no changes)
[ Antonio Terceiro ]
* debian/ruby1.9.1.postinst:
+ bump alternatives priority for `ruby` to 51 so that Ruby 1.9 has a
higher priority than Ruby 1.8 (50).
+ bump alternatives priority for `gem` to 181 so that the Rubygems
provided by Ruby 1.9 has priority over the one provided by the rubygems
package.
* debian/control: added myself to Uploaders:
* debian/libruby1.9.1.symbols: update with new symbols added in 1.9.3p194
upstream release.
* debian/manpages/*: fix references to command names with s/1.9/1.9.1/
* debian/rules: skip running DRB tests, since they seem to make the build
hang. This should close #647296, but let's way and see. Also, with this do
not need to timeout the test suite anymore.
-- Antonio Terceiro <email address hidden> Sat, 02 Jun 2012 07:42:28 -0300
-
ruby1.9.1 (1.9.3.0-1ubuntu1) precise; urgency=low
* Don't run the tests on armhf for a first build.
-- Matthias Klose <email address hidden> Sat, 03 Dec 2011 03:07:55 +0100
