lp://staging/ubuntu/dapper-updates/ruby1.8
- Get this branch:
- bzr branch lp://staging/ubuntu/dapper-updates/ruby1.8
Branch merges
Related source package recipes
Branch information
Recent revisions
- 13. By Marc Deslauriers
-
* SECURITY UPDATE: certificate spoofing via invalid return value check
in OCSP_basic_verify
- debian/patches/ 924_CVE- 2009-0642. patch: also check for -1 return
code in ext/openssl/ossl_ocsp. c.
- CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
argument that represents a large number (LP: #385436)
- debian/patches/ 925_CVE- 2009-1904. patch: handle large numbers properly
in ext/bigdecimal/bigdecimal. c.
- CVE-2009-1904 - 12. By Jamie Strandboge
-
* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
module (LP: #261459)
- debian/patches/ 917_CVE- 2008-3790. patch: adjust rexml/document.rb and
rexml/entity.rb to use expansion limits
- CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
service (LP: #246818)
- debian/patches/ 918_CVE- 2008-2376. patch: adjust array.c to properly
check argument length
- CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
socket
- debian/patches/ 919_CVE- 2008-3443. patch: adjust regex.c to not use ruby
managed memory and check for allocation failures
- CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
- debian/patches/ 920_CVE- 2008-3656. patch: update webrick/ httputils. rb to
properly check paths ending with '.'
- CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
requests (separate vulnerability from CVE-2008-1447)
- debian/patches/ 921_CVE- 2008-3905. patch: adjust resolv.rb to use
SecureRandom for transaction id and source port
- CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
- debian/patches/ 922_CVE- 2008-3657. patch: adjust rb_str_to_ptr and
rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
propogate taint and check taintness of DLPtrData
- CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
- debian/patches/ 923_CVE- 2008-3655. patch: use rb_secure(4) in variable.c
and syslog.c, check for secure level 3 or higher in eval.c and make
sure PROGRAM_NAME can't be modified
- CVE-2008-3655 - 11. By Jamie Strandboge
-
* SECURITY UPDATE: denial of service or arbitrary code execution via
integer overflows and memory corruption
* debian/patches/ 916_CVE- 2008-2662+ 2663+2664+ 2725+2726. patch: update array.c
to properly validate the size of an array. Update string.c and sprintf.c
for proper bounds checking. Also modify ruby.h for RARRAY_PTR macro (taken
from 1.8.5-4ubuntu2)
* References:
CVE-2008-2662
CVE-2008-2663
CVE-2008-2664
CVE-2008-2725
CVE-2008-2726
LP: #241657 - 10. By Stephan RĂ¼gamer
-
* SECURITY UPDATE: SSL connections did not check commonName early
enough, possibly allowing sensitive information to be exposed.
* debian/patches/ 915_CVE- 2007-5162. patch: upstream fixes, from
http://svn.ruby- lang.org/ cgi-bin/ viewvc. cgi?view= rev&revision= 13499
* debian/patches/ 915_CVE- 2007-5770. patch: upstream fixes, from
http://svn.ruby- lang.org/ cgi-bin/ viewvc. cgi?view= rev&revision= 13656
* References:
CVE-2007-5162 CVE-2007-5770 (LP: #149616) - 9. By Kees Cook
-
* SECURITY UPDATE: remote denial of service in CGI module.
* Add 'debian/patches/ 914_CVE- 2006-6303' patch from upstream.
* References
http://www.ruby- lang.org/ en/news/ 2006/12/ 04/another- dos-vulnerabili ty-in-cgi- library/
CVE-2006-6303 - 8. By Kees Cook
-
* SECURITY UPDATE: remote denial of service in CGI module.
* Add 'debian/patches/ 913_CVE- 2006-5467' patch from upstream.
* References
http://rubyforge. org/pipermail/ mongrel- users/2006- October/ 001946. html
CVE-2006-5467 - 7. By Martin Pitt
-
* SECURITY UPDATE: Safe level bypass.
* Add debian/patches/ 100_CVE- 2006-3694. patch:
- eval.c, alias(): preserve current safe level
http://www.ruby- lang.org/ cgi-bin/ cvsweb. cgi/ruby/ eval.c? cvsroot= src&r1= 1.616.2. 166&r2= 1.616.2. 167
(only relevant part)
- re.c: do not modify untainted levels in safe levels > 3
http://www.ruby- lang.org/ cgi-bin/ cvsweb. cgi/ruby/ re.c?cvsroot= src&r1= 1.114.2. 17&r2=1. 114.2.18
(only last hunk is relevant)
- dir.c: should not close untainted dir stream
http://www.ruby- lang.org/ cgi-bin/ cvsweb. cgi/ruby/ dir.c?cvsroot= src&r1= 1.92.2. 32&r2=1. 92.2.33
- CVE-2006-3694 - 6. By Fabio Massimo Di Nitto
-
* Fix libruby sparc runtime illegal instructions:
- add patch debian/patches/ 903_sparc_ fix_define. patch
(Fix by David S. Miller) - 5. By akira yamada <email address hidden>
-
* akira yamada <email address hidden>
- new upstream version.
- removed debian/patches/ 100_1.8. 4-preview2+ .patch:
- included in upstream.
- added debian/patches/ 802_yaml_ symbol. patch:
- YAML loading of quoted symbols is broken (Closes: #344042)
- README.Debian improvement suggestion (Closes: #344293)
- debian/compat: compat level 4. - 4. By akira yamada <email address hidden>
-
* akira yamada <email address hidden>
- debian/control: updated description of ruby1.8.
- new upstream snapshot. (1.8.4-preview2)
- removed debian/patches/ 100_1.8. 4-preview1. patch:
- these are included in 1.8.4-preview2.
- added debian/patches/ 100_1.8. 4-preview2+ .patch:
- bug fixes.
- configure with -O2 for IA64.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/ubuntu/karmic/ruby1.8
