lp://staging/ubuntu/hardy-updates/ruby1.8

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

24. By Marc Deslauriers on 2009-07-15

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/904_security_CVE-2009-0642.dpatch: also check for -1
    return code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/905_security_CVE-2009-1904.dpatch: handle large
    numbers properly in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

23. By Jamie Strandboge on 2008-10-07

* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
  module (LP: #261459)
  - debian/patches/102_CVE-2008-3790.dpatch: adjust rexml/document.rb and
    rexml/entity.rb to use expansion limits
  - CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
  service (LP: #246818)
  - debian/patches/103_CVE-2008-2376.dpatch: adjust array.c to properly
    check argument length
  - CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
  socket
  - debian/patches/104_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
    managed memory and check for allocation failures
  - CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
  - debian/patches/105_CVE-2008-3656.dpatch: update webrick/httputils.rb to
    properly check paths ending with '.'
  - CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
  requests (separate vulnerability from CVE-2008-1447)
  - debian/patches/106_CVE-2008-3905.dpatch: adjust resolv.rb to use
    SecureRandom for transaction id and source port
  - CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
  - debian/patches/107_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
    rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
    propogate taint and check taintness of DLPtrData
  - CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
  - debian/patches/108_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
    and syslog.c, check for secure level 3 or higher in eval.c and make
    sure PROGRAM_NAME can't be modified
  - CVE-2008-3655

22. By Jamie Strandboge on 2008-06-25

* SECURITY UPDATE: denial of service or arbitrary code execution via
  integer overflows and memory corruption
* debian/patches/101_CVE-2008-2662+2663+2664+2725+2726.dpatch update array.c
  to properly validate the size of an array. Update string.c and sprintf.c
  for proper bounds checking
* References:
  CVE-2008-2662
  CVE-2008-2663
  CVE-2008-2664
  CVE-2008-2725
  CVE-2008-2726
  LP: #241657

21. By Marc Deslauriers on 2009-07-15

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/904_security_CVE-2009-0642.dpatch: also check for -1
    return code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/905_security_CVE-2009-1904.dpatch: handle large
    numbers properly in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

20. By Jamie Strandboge on 2008-10-07

* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
  module (LP: #261459)
  - debian/patches/102_CVE-2008-3790.dpatch: adjust rexml/document.rb and
    rexml/entity.rb to use expansion limits
  - CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
  service (LP: #246818)
  - debian/patches/103_CVE-2008-2376.dpatch: adjust array.c to properly
    check argument length
  - CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
  socket
  - debian/patches/104_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
    managed memory and check for allocation failures
  - CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
  - debian/patches/105_CVE-2008-3656.dpatch: update webrick/httputils.rb to
    properly check paths ending with '.'
  - CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
  requests (separate vulnerability from CVE-2008-1447)
  - debian/patches/106_CVE-2008-3905.dpatch: adjust resolv.rb to use
    SecureRandom for transaction id and source port
  - CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
  - debian/patches/107_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
    rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
    propogate taint and check taintness of DLPtrData
  - CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
  - debian/patches/108_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
    and syslog.c, check for secure level 3 or higher in eval.c and make
    sure PROGRAM_NAME can't be modified
  - CVE-2008-3655

19. By Jamie Strandboge on 2008-06-25

* SECURITY UPDATE: denial of service or arbitrary code execution via
  integer overflows and memory corruption
* debian/patches/101_CVE-2008-2662+2663+2664+2725+2726.dpatch update array.c
  to properly validate the size of an array. Update string.c and sprintf.c
  for proper bounds checking
* References:
  CVE-2008-2662
  CVE-2008-2663
  CVE-2008-2664
  CVE-2008-2725
  CVE-2008-2726
  LP: #241657

18. By Michael Vogt on 2007-11-23

* Merge from debian unstable, remaining changes:
  - Adjust configure options for lpia.
  - add -g when build with noopt

17. By LaMont Jones on 2007-10-04

Trigger rebuild for hppa

16. By Matthias Klose on 2007-09-04

* Fix build failure on sparc N1 (Debian #393817).
* Add -g to CFLAGS.

15. By Matthias Klose on 2007-08-09

* Merge with Debian; remaining changes:
  - Adjust configure options for lpia.