lp://staging/ubuntu/gutsy-updates/ruby1.8

Created by James Westby and last modified
Get this branch:
bzr branch lp://staging/ubuntu/gutsy-updates/ruby1.8
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

23. By Jamie Strandboge

* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
  module (LP: #261459)
  - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
    rexml/entity.rb to use expansion limits
  - CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
  service (LP: #246818)
  - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
    check argument length
  - CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
  socket
  - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
    managed memory and check for allocation failures
  - CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
  - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
    properly check paths ending with '.'
  - CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
  requests (separate vulnerability from CVE-2008-1447)
  - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
    SecureRandom for transaction id and source port
  - CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
  - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
    rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
    propogate taint and check taintness of DLPtrData
  - CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
  - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
    and syslog.c, check for secure level 3 or higher in eval.c and make
    sure PROGRAM_NAME can't be modified
  - CVE-2008-3655

22. By Jamie Strandboge

* SECURITY UPDATE: denial of service or arbitrary code execution via
  integer overflows and memory corruption
* debian/patches/102_CVE-2008-2662+2663+2664+2725+2726.dpatch: update
  array.c to properly validate the size of an array. Update string.c and
  sprintf.c for proper bounds checking
* References:
  CVE-2008-2662
  CVE-2008-2663
  CVE-2008-2664
  CVE-2008-2725
  CVE-2008-2726
  LP: #241657

21. By Stephan RĂ¼gamer

* SECURITY UPDATE: SSL connections did not check commonName early
  enough, possibly allowing sensitive information to be exposed.
* debian/patches/100_CVE-2007-5162.dpatch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
* debian/patches/101_CVE-2007-5770.dpatch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
* References:
  CVE-2007-5162 CVE-2007-5770 (LP: #149616)

20. By Jamie Strandboge

* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
  module (LP: #261459)
  - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
    rexml/entity.rb to use expansion limits
  - CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
  service (LP: #246818)
  - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
    check argument length
  - CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
  socket
  - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
    managed memory and check for allocation failures
  - CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
  - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
    properly check paths ending with '.'
  - CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
  requests (separate vulnerability from CVE-2008-1447)
  - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
    SecureRandom for transaction id and source port
  - CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
  - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
    rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
    propogate taint and check taintness of DLPtrData
  - CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
  - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
    and syslog.c, check for secure level 3 or higher in eval.c and make
    sure PROGRAM_NAME can't be modified
  - CVE-2008-3655

19. By Jamie Strandboge

* SECURITY UPDATE: denial of service or arbitrary code execution via
  integer overflows and memory corruption
* debian/patches/102_CVE-2008-2662+2663+2664+2725+2726.dpatch: update
  array.c to properly validate the size of an array. Update string.c and
  sprintf.c for proper bounds checking
* References:
  CVE-2008-2662
  CVE-2008-2663
  CVE-2008-2664
  CVE-2008-2725
  CVE-2008-2726
  LP: #241657

18. By Stephan RĂ¼gamer

* SECURITY UPDATE: SSL connections did not check commonName early
  enough, possibly allowing sensitive information to be exposed.
* debian/patches/100_CVE-2007-5162.dpatch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
* debian/patches/101_CVE-2007-5770.dpatch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
* References:
  CVE-2007-5162 CVE-2007-5770 (LP: #149616)

17. By LaMont Jones

Trigger rebuild for hppa

16. By Matthias Klose

* Fix build failure on sparc N1 (Debian #393817).
* Add -g to CFLAGS.

15. By Matthias Klose

* Merge with Debian; remaining changes:
  - Adjust configure options for lpia.

14. By Matthias Klose

* Adjust configure options for lpia.
* Set Ubuntu maintainer address.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://staging/ubuntu/karmic/ruby1.8
This branch contains Public information 
Everyone can see this information.

Subscribers