-
ruby2.5 (2.5.1-1ubuntu1.16) bionic-security; urgency=medium
* SECURITY UPDATE: ReDoS
- debian/patches/CVE-2023-28755.patch: adds '+' once or more in specific
places of the RFC3986 regex in order to avoid the increase in execution
time for parsing strings to URI objects in lib/uri/rfc3986_parser.rb.
- CVE-2023-28755
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 15 May 2023 08:41:43 -0300
-
ruby2.5 (2.5.1-1ubuntu1.15) bionic-security; urgency=medium
* SECURITY REGRESSION: URI.parse returning empty when it should return nil
- reverting/removing patches for CVE-2023-28755-*.patch that changed the
regex behaviour causing URI.parse to return '' instead previous
behaviour nil as some applications expected to use the last one as
return (LP: #2018547)
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 05 May 2023 06:09:43 -0300
-
ruby2.5 (2.5.1-1ubuntu1.14) bionic-security; urgency=medium
* SECURITY UPDATE: ReDoS
- debian/patches/CVE-2023-28755-*.patch: URI.parse should set empty
string in host instead of nil in lib/uri/rfc3986_parser.rb.
- debian/patches/tz_fix.patch: fix timezone test for Lisbon in
test/ruby/test_time_tz.rb.
- debian/patches/certs_up_fix.patch: update certificate file to
make test pass in test/rubygems/ca_cert.pem, test/rubygems/client.pem,
test/rubygems/ssl_cert.pem, test/rubygems/ss_key.pem,
test/rubygems/test_gem_security_policy.rb.
- CVE-2023-28755
* SECURITY UPDATE: ReDos
- debian/patches/CVE-2023-28756-*.patch: fix quadratic backtracking on
invalid time and make RFC2822 regexp linear in lib/time.rb.
- CVE-2023-28756
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 10 Apr 2023 14:06:44 -0300
-
ruby2.5 (2.5.1-1ubuntu1.13) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP response splitting
- debian/patches/CVE-2021-33621*.patch: adds regex to lib/cgi/core.rb and
lib/cgi/cookie.rb along with tests to check http response headers and
cookie fields for invalid characters.
- debian/patches/fix_tzdata-2022.patch: fix for tzdata-2022g tests
in test/ruby/test_time_tz.rb.
- CVE-2021-33621
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 18 Jan 2023 09:55:17 -0300
-
ruby2.5 (2.5.1-1ubuntu1.12) bionic-security; urgency=medium
* SECURITY UPDATE: Buffer over-read
- debian/patches/CVE-2022-28739.patch: fix dtoa buffer
overrun in missing/dtoa.c, test/ruby/test_float.rb.
- CVE-2022-28739
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 24 May 2022 11:47:40 -0300
-
ruby2.5 (2.5.1-1ubuntu1.11) bionic-security; urgency=medium
* SECURITY UPDATE: ReDoS vulnerability
- debian/patches/CVE-2021-41817-*.patch: add length limit option
for methods that parses date strings and mimic prev behaviour
in ext/date/date_core.c, test/date/test_date_parse.rb.
- CVE-2021-41817
* SECURITY UPDATE: Mishandles sec prefixes in cookie names
- debian/patches/CVE-2021-41819.patch: when parsing cookies, only
decode the values in lib/cgi/cookie.rb, test/cgi/test_cgi_cookie.rb.
- CVE-2021-41819
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 06 Jan 2022 12:31:02 -0300
-
ruby2.5 (2.5.1-1ubuntu1.10) bionic-security; urgency=medium
* SECURITY UPDATE: Command injection vulnerability in RDoc
- debian/patches/CVE-2021-31799.patch: fix replace open for File.open
in lib/rdoc/rdoc.rb, test/rdoc/test_rdoc_rdoc.rb.
- CVE-2021-31799
* SECURITY UPDATE: Information leak
- debian/patches/CVE-2021-31810.patch: ignore IP address in PASV
responses by default and add new option use_pasv_ip in lib/net/ftp.rb,
test/net/ftp/test_ftp.rb.
- CVE-2021-31810
* SECURITY UPDATE: Stripping vulnerability
- debian/patches/CVE-2021-32066.patch: fix raising an exception
when a unknow response error happens in
lib/net/imap.rb, test/net/imap/test_imap.rb.
- CVE-2021-32066
* debian/patches/fixing_test_imap.patch: adds start_server to
IMAPTest in order to test_starttls_stripping runs properly.
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 15 Jul 2021 14:22:59 -0300
-
ruby2.5 (2.5.1-1ubuntu1.9) bionic-security; urgency=medium
* SECURITY UPDATE: XML round-trip vulnerability in REXML
- debian/patches/CVE-2021-28965.patch: update to REXML 3.1.7.4.
- CVE-2021-28965
-- Marc Deslauriers <email address hidden> Thu, 15 Apr 2021 10:09:08 -0400
-
ruby2.5 (2.5.1-1ubuntu1.8) bionic-security; urgency=medium
* SECURITY UPDATE: Unsafe Object Creation Vulnerability in JSON gem
- debian/patches/CVE-2020-10663.patch: set json->create_additions to 0
in ext/json/parser/parser.c, ext/json/parser/parser.rl.
- CVE-2020-10663
* SECURITY UPDATE: sensitive info disclosure in BasicSocket#read_nonblock
- debian/patches/CVE-2020-10933.patch: do not return uninitialized
buffer in ext/socket/init.c.
- CVE-2020-10933
* SECURITY UPDATE: HTTP Request Smuggling attack in WEBrick
- debian/patches/CVE-2020-25613.patch: make it more strict to interpret
some headers in lib/webrick/httprequest.rb.
- CVE-2020-25613
-- Marc Deslauriers <email address hidden> Tue, 16 Mar 2021 10:59:21 -0400
-
ruby2.5 (2.5.1-1ubuntu1.7) bionic; urgency=medium
* d/p/arm64-optimizations.patch: enable arm64 optimizations that exist
for power/x86. It includes enabling unaligned memory access, gc and
vm_exec.c optimizations (LP: #1901074).
* Fix FTBFS, many tests were failing during the build (LP: #1903902).
- Add missing b-d on tzdata.
* Fix DEP-8 tests (LP: #1903905).
- Backport patches to fix Kiritimati TZ tests:
+ 0029-Backport-upstream-patch-to-fix-Kiritimati-TZ-test-1-.patch
+ 0030-Backport-upstream-patch-to-fix-Kiritimati-TZ-test-2-.patch
- d/t/control: add restriction to allow-stderr. The rubyconfig test calls
dpkg-architecture which is returning a warning in Bionic.
- d/t/bundled-gems: skip gems which do not match upstream expectations.
Some gems listed as bundled by upstream are not satisfied by the Ubuntu
Bionic archive.
-- Lucas Kanashiro <email address hidden> Thu, 05 Nov 2020 10:30:22 -0300
-
ruby2.5 (2.5.1-1ubuntu1.6) bionic-security; urgency=medium
* SECURITY UPDATE: NULL injection vulnerability
- debian/patches/CVE-2019-15845.patch: ensure that
pattern does not contain a NULL character in dir.c,
test/ruby/test_fnmatch.rb.
- CVE-2019-15845
* SECURITY UPDATE: Denial of service vulnerability
- debian/patches/CVE-2019-16201.patch: fix in
lib/webrick/httpauth/digestauth.rb,
test/webrick/test_httpauth.rb.
- CVE-2019-16201.patch
* SECURITY UPDATE: HTTP response splitting in WEBrick
- debian/patches/CVE-2019-16254.patch: prevent response
splitting and header injection in lib/webrick/httpresponse.rb,
test/webrick/test_httpresponse.rb.
- CVE-2019-16254
* SECURITY UPDATE: Code injection
- debian/patches/CVE-2019-16255.patch: prevent unknown command
in lib/shell/command-processor.rb, test/shell/test_command_processor.rb.
- CVE-2019-16255
-- <email address hidden> (Leonidas S. Barbosa) Tue, 26 Nov 2019 09:32:04 -0300
-
ruby2.5 (2.5.1-1ubuntu1.5) bionic; urgency=medium
* Add d/p/restore_buffer_newline_check.patch to fix failure sending
files with mixed newline encoding styles; this regression was
introduced by 0009-openssl-sync-with-upstream-repository.patch.
(LP: #1835968)
-- Bryce Harrington <email address hidden> Thu, 25 Jul 2019 16:06:31 -0700
-
ruby2.5 (2.5.1-1ubuntu1.4) bionic; urgency=medium
* Cherrypick ruby-openssl upstream commits to fix compat with OpenSSL
1.1.1 LP: #1797386
-- Dimitri John Ledkov <email address hidden> Tue, 23 Apr 2019 23:50:41 +0100
-
ruby2.5 (2.5.1-1ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: Delete directory using symlink when decompressing tar,
Escape sequence injection vulnerability in gem owner, Escape sequence
injection vulnerability in API response handling, Arbitrary code exec,
Escape sequence injection vulnerability in errors
- debian/patches/CVE-2019-8320-25.patch: fix in
lib/rubygems/command_manager.rb,
lib/rubygems/commands/owner_command.rb,
lib/rubygems/gemcutter_utilities.rb,
lib/rubygems/installer.rb,
lib/rubygems/package.rb,
test/rubygems/test_gem_installer.rb,
test/rubygems/test_gem_package.rb,
test/rubygems/test_gem_text.rb.
- CVE-2019-8320
- CVE-2019-8321
- CVE-2019-8322
- CVE-2019-8323
- CVE-2019-8324
- CVE-2019-8325
* Fixing expired SSL certs
- debian/patches/fixing_expired_SSL_certs.patch: fix in
test/net/fixtures/cacert.pem, test/net/fixtures/server.crt,
test/net/fixtures/server.key.
-- <email address hidden> (Leonidas S. Barbosa) Mon, 01 Apr 2019 11:13:08 -0300
-
ruby2.5 (2.5.1-1ubuntu1.1) bionic-security; urgency=medium
* SECURITY UPDATE: Name equality check
- debian/patches/CVE-2018-16395.patch: fix in
ext/openssl/ossl_x509name.c.
- CVE-2018-16395
* SECURITY UPDATE: Tainted flags not propagted
- debian/patches/CVE-2018-16396.patch: fix in
pack.c, test/ruby/test_pack.rb.
- CVE-2018-16396
* Fixing tz tests for asia_tokyo test
- debian/patches/fixing_tz_asia_tokyo_test.patch
-- <email address hidden> (Leonidas S. Barbosa) Wed, 31 Oct 2018 09:42:47 -0300
-
ruby2.5 (2.5.1-1ubuntu1) bionic; urgency=medium
* Merge with Debian; remaining changes:
- Mark some tests as failing on Launchpad.
- Update symbols file.
ruby2.5 (2.5.1-1) unstable; urgency=medium
* New upstream version 2.5.1.
According to the release announcement, includes fixes for the following
security issues:
- CVE-2017-17742: HTTP response splitting in WEBrick
- CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
- CVE-2018-8777: DoS by large request in WEBrick
- CVE-2018-8778: Buffer under-read in String#unpack
- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in
Dir
- Multiple vulnerabilities in RubyGems
* Refresh patches.
Patches dropped for being already applied upstream:
- 0005-Fix-tests-to-cope-with-updates-in-tzdata.patch
- 0006-Rubygems-apply-upstream-patch-to-fix-multiple-vulner.patch
* Add patch to fix FTBFS on ia64 (Closes: #889848)
* Add simple autopkgtest to check for builtin extensions that are build
against external dependencies (ssl, yaml, *dbm etc)
* Add build-dependency on libgdbm-compat-dev (Closes: #892099)
* debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to
assumptions that don't hold on newer tzdata update. Upstream bug:
https://bugs.ruby-lang.org/issues/14655
* debian/libruby2.5.symbols: update with new symbol added in this release
-- Matthias Klose <email address hidden> Mon, 02 Apr 2018 22:15:10 +0200
-
ruby2.5 (2.5.0-6ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Mark some tests as failing on Launchpad.
- Update symbols file.
ruby2.5 (2.5.0-6) unstable; urgency=medium
* debian/rules: explicitly pass --runstatedir, --localstatedir, and
--sysconfdir to ./configure
-- Gianfranco Costamagna <email address hidden> Mon, 05 Mar 2018 16:44:44 +0100
-
ruby2.5 (2.5.0-5ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Mark some tests as failing on Launchpad.
- Update symbols file.
ruby2.5 (2.5.0-5) unstable; urgency=medium
* Change Maintainer: to Debian Ruby Team
* debian/patches/0005-Fix-tests-to-cope-with-updates-in-tzdata.patch: fix
test failures after updates in the Japan timezone data (Closes: #889046)
* debian/patches/0006-Rubygems-apply-upstream-patch-to-fix-multiple-vulner.patch:
upgrade to Rubygems 2.7.6 to fix multiple vulnerabilities
-- Gianfranco Costamagna <email address hidden> Thu, 01 Mar 2018 13:21:07 +0100
-
ruby2.5 (2.5.0-4ubuntu4) bionic; urgency=high
* No change rebuild against openssl1.1.
-- Dimitri John Ledkov <email address hidden> Mon, 05 Feb 2018 16:53:19 +0000
-
ruby2.5 (2.5.0-4ubuntu3) bionic; urgency=medium
* Ignore TestTimeTZ Asia/Tokyo test failures.
-- Matthias Klose <email address hidden> Fri, 02 Feb 2018 17:18:37 +0100
-
ruby2.5 (2.5.0-4ubuntu2) bionic; urgency=medium
* No-change rebuild for gdbm soname change.
-- Matthias Klose <email address hidden> Fri, 02 Feb 2018 12:04:55 +0100
-
ruby2.5 (2.5.0-4ubuntu1) bionic; urgency=medium
* Merge with Debian; remaining changes:
- Mark some tests as failing on Launchpad.
- Update symbols file.
ruby2.5 (2.5.0-4) unstable; urgency=medium
* debian/rules: pass --excludes-dir options to `make check` via $TESTS
ruby2.5 (2.5.0-3) unstable; urgency=medium
* arm64: skip TestRubyOptimization#test_clear_unreachable_keyword_args. It
works just fine on a porter box, but consistently hangs on the arm64
buildd.
* mipsel: skip some tests from TestNum2int; they fail on the buildd, but not
on the porterbox.
ruby2.5 (2.5.0-2) unstable; urgency=medium
* Move test exclusions from a patch to debian/tests/excludes/
- debian/rules, debian/tests/run-all: pass the appropriate exclusion flags
to the test runner
* Exclude TestResolvMDNS. It will fail on some architectures, and be very
slow on others.
ruby2.5 (2.5.0-1) unstable; urgency=medium
* New upstream version 2.5.0
* Refresh patches
* debian/libruby2.5.symbols: update
* debian/tests/known-failures.txt: add another 3 test files that assume the
tests are being run against a built source tree
ruby2.5 (2.5.0~rc1-1) unstable; urgency=medium
* New upstream release candidate. Includes the following fixes:
- Fix stack size on powerpc64 (Closes: #881772)
- CVE-2017-17405: Command injection vulnerability in Net::FTP
(Closes: #884437)
* Refresh patches
* debian/control:
- Remove explicit Testsuite: header
- ruby2.5-dev: Recommends: ruby2.5-doc
- Declare compatibility with Debian Policy 4.1.2; no changes needed
- Bump debhelper compatibility level to 10
- change debian/rules to call ./configure directly, to use upstream's
built-in multiarch support as before debhelper compatibility level 9
* debian/watch: download release tarballs.
Using release tarballs makes it possible to build ruby without having an
existing ruby. This should help bootstrapping ruby on new
architectures. (Closes: #832022)
* debian/copyright: exclude embedded copies of bundled gems and libffi
* debian/rules:
- run tests in verbose mode during build
- drop explicit usage of autotools-dev
- drop usage of autoreconf debhelper sequence, it's not needed anymore
since we are now using a complete upstream release tarball
- drop passing --baseruby to configure, since do not require an existing
ruby anymore
- skip setting DEB_HOST_MULTIARCH if already set
- replace manual call to dpkg-parsechangelog with including
/usr/share/dpkg/pkg-info.mk and using variables from there.
* autopkgtest: make use of the text exclusion rules under test/excludes/
* debian/libruby2.5.symbols: update with symbols added/removed since the
preview1 release
* debian/tests/bundled-gems: handle extra field in gems/bundled_gems
* debian/libruby2.5.lintian-overrides: remove unused override
(possible-gpl-code-linked-with-openssl)
-- Matthias Klose <email address hidden> Tue, 02 Jan 2018 13:43:31 +0100
-
ruby2.5 (2.5.0-4) unstable; urgency=medium
* debian/rules: pass --excludes-dir options to `make check` via $TESTS
-- Antonio Terceiro <email address hidden> Sat, 30 Dec 2017 10:50:04 -0300
-
ruby2.5 (2.5.0~preview1-1ubuntu2) bionic; urgency=medium
* Mark some tests as failing.
* Update symbols file.
-- Matthias Klose <email address hidden> Wed, 15 Nov 2017 12:28:33 +0100
-
ruby2.5 (2.5.0~preview1-1ubuntu1) bionic; urgency=medium
* Mark two tests as failing.
-- Matthias Klose <email address hidden> Wed, 15 Nov 2017 12:28:33 +0100
-
ruby2.5 (2.5.0~preview1-1) unstable; urgency=medium
[ Antonio Terceiro ]
* New upstream version 2.5.0~preview1
* debian/patches: import all of our remaining changes wrt upstream. All the
changes to tests were transformed into exclude files under test/excludes/
* ruby2.5-dev: don't install *.a files anymore; they are not installed by
the upstream build system anymore.
* debian/rules: adapt removal of embedded certificate store in Rubygems
* debian/rules: also remove embedded certificate store from bundler
[ Christian Hofstaedtler ]
* Remove packaging for tcltk extension; it has been removed from Ruby core
upstream.
* Drop migration from old -dbg package
* Disable test for homedir expansion which fails in sbuild
* Upstream tarballs no longer come from git
* Update jquery in missing-sources
* d/copyright: Add info for darkfish icon set
* Build with default OpenSSL once again
-- Antonio Terceiro <email address hidden> Tue, 10 Oct 2017 21:12:54 -0300
