lp://staging/ubuntu/trusty-proposed/ruby1.9.1

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

33. By Adam Conrad on 2014-02-14

* Merge from Debian unstable. Remaining changes:
  - debian/control: Add ca-certificates to libruby1.9.1 depends so that
    rubygems can perform certificate verification
  - debian/rules: Don't install SSL certificates from upstream sources
  - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
    /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
  - debian/patches/20131218-stack-size.patch: Increase thread stack
    size on 64-bit platforms to prevent testsuite failure on ppc64el.
  - Build-depend on Tcl/Tk 8.5, ruby is not yet ready for Tcl/Tk 8.6.

32. By Matthias Klose on 2014-01-04

Build-depend on tcl8.5-dev and tk8.5-dev, ruby is not yet ready
for Tcl/Tk 8.6.

31. By Adam Conrad on 2013-12-18

* Merge from Debian unstable. Remaining changes:
  - debian/control: Add ca-certificates to libruby1.9.1 depends so that
    rubygems can perform certificate verification
  - debian/rules: Don't install SSL certificates from upstream sources
  - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
    /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
* Drop debian/patches/CVE-2013-4164.patch; applied upstream.
* debian/patches/20131218-stack-size.patch: Increase thread stack
  size on 64-bit platforms to prevent testsuite failure on ppc64el.

30. By Marc Deslauriers on 2013-11-25

* SECURITY UPDATE: denial of service and possible code execution via
  heap overflow in floating point parsing.
  - debian/patches/CVE-2013-4164.patch: check lengths in util.c, added
    test to test/ruby/test_float.rb.
  - CVE-2013-4164

29. By Marc Deslauriers on 2013-11-25

* Merge from Debian. Remaining changes:
  - debian/control: Add ca-certificates to libruby1.9.1 depends so that
    rubygems can perform certificate verification
  - debian/rules: Don't install SSL certificates from upstream sources
  - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
    /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.

28. By Marc Deslauriers on 2013-07-08

* SECURITY UPDATE: incorrect ssl hostname verification
  - debian/patches/CVE-2013-4073.patch: fix hostname check and regression
    in ext/openssl/lib/openssl/ssl-internal.rb, added test to
    test/openssl/test_ssl.rb.
  - CVE-2013-4073

27. By Marc Deslauriers on 2013-03-25

* Merge from Debian testing. Remaining changes:
  - debian/control: Add ca-certificates to libruby1.9.1 depends so that
    rubygems can perform certificate verification
  - debian/rules: Don't install SSL certificates from upstream sources
  - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
    /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
  - debian/patches/CVE-2012-4522.patch: Adjust patch to fix build test
    error. Use the version of the fix from upstream's 1.9.3 tree to fix
    the NoMethodError for assert_file_not, which doesn't exist in 1.9.3.
    Adjust the Origin patch tag accordingly.

26. By Tyler Hicks on 2013-02-21

* Merge from Debian testing (LP: #1131493). Remaining changes:
  - debian/control: Add ca-certificates to libruby1.9.1 depends so that
    rubygems can perform certificate verification
  - debian/rules: Don't install SSL certificates from upstream sources
  - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
    /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
* Changes dropped:
  - debian/patches/20121016-cve_2012_4522.patch: Debian is carrying a patch
    for this issue.
  - debian/patches/20121011-cve_2012_4464-cve_2012_4466.patch: Debian is
    carrying a patch for this issue, but the patch is incorrectly named
    20120927-cve_2011_1005.patch. I'll work with Debian to change the patch
    name, but there's no need in carrying a delta because of this. To be
    clear, the Ubuntu ruby1.9.1 package is patched for CVE-2012-4464 and
    CVE-2012-4466, despite the incorrect patch name.
* debian/patches/CVE-2012-4522.patch: Adjust patch to fix build test error.
  Use the version of the fix from upstream's 1.9.3 tree to fix the
  NoMethodError for assert_file_not, which doesn't exist in 1.9.3. Adjust
  the Origin patch tag accordingly.

25. By Tyler Hicks on 2012-10-16

* SECURITY UPDATE: Safe level bypass
  - debian/patches/20121011-cve_2012_4464-cve_2012_4466.patch: Remove
    incorrect string taint in exception handling methods. Based on upstream
    patch.
  - CVE-2012-4464
  - CVE-2012-4466
* SECURITY UPDATE: Missing input sanitization of file paths
  - debian/patches/20121016-cve_2012_4522.patch: NUL characters are not
    valid filename characters, so ensure that Ruby strings used for file
    paths do not contain NUL characters. Based on upstream patch.
  - CVE-2012-4522
* debian/patches/20120927-cve_2011_1005.patch: Drop since ruby1.9.x is
  technically not affected by CVE-2011-1005. CVE-2012-4464 is the id
  assigned to the vulnerability in the ruby1.9.x branch.

24. By Tyler Hicks on 2012-09-27

* SECURITY UPDATE: Safe level bypass
  - debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string
    taint in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* Make the RubyGems fetcher use distro-provided ca-certificates
  (LP: #1057926)
  - debian/control: Add ca-certificates to libruby1.9.1 depends so that
    rubygems can perform certificate verification
  - debian/rules: Don't install SSL certificates from upstream sources
  - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
    /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.