- ruby2.3 (2.3.3-1+deb9u1+rpi1) stretch-staging; urgency=medium
++ruby2.3 (2.3.3-1+deb9u3+rpi1) stretch-staging; urgency=medium
+
++ [changes brought forward from 2.3.3-1+deb9u1+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Sat, 21 Oct 2017 22:40:37 +0000]
+ * Disable testsuite.
+
- -- Peter Michael Green <plugwash@raspbian.org> Sat, 21 Oct 2017 22:40:37 +0000
++ -- Raspbian forward porter <root@raspbian.org> Wed, 17 Oct 2018 11:05:04 +0000
++
+ ruby2.3 (2.3.3-1+deb9u3) stretch-security; urgency=medium
+
+ [ Santiago R.R. ]
+ * Fix Command injection vulnerability in Net::FTP.
+ [CVE-2017-17405]
+ * webrick: use IO.copy_stream for multipart response. Required changes in
+ WEBrick to fix CVE-2017-17742 and CVE-2018-8777
+ * Fix HTTP response splitting in WEBrick.
+ [CVE-2017-17742]
+ * Fix Command Injection in Hosts::new() by use of Kernel#open.
+ [CVE-2017-17790]
+ * Fix Unintentional directory traversal by poisoned NUL byte in Dir
+ [CVE-2018-8780]
+ * Fix multiple vulnerabilities in RubyGems.
+ CVE-2018-1000073: Prevent Path Traversal issue during gem installation.
+ CVE-2018-1000074: Fix possible Unsafe Object Deserialization
+ Vulnerability in gem owner.
+ CVE-2018-1000075: Strictly interpret octal fields in tar headers.
+ CVE-2018-1000076: Raise a security error when there are duplicate files
+ in a package.
+ CVE-2018-1000077: Enforce URL validation on spec homepage attribute.
+ CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when
+ displayed via gem server.
+ CVE-2018-1000079: Prevent path traversal when writing to a symlinked
+ basedir outside of the root.
+ * Fix directory traversal vulnerability in the Dir.mktmpdir method in the
+ tmpdir library
+ [CVE-2018-6914]
+ * Fix Unintentional socket creation by poisoned NUL byte in UNIXServer and
+ UNIXSocket
+ [CVE-2018-8779]
+ * Fix Buffer under-read in String#unpack
+ [CVE-2018-8778]
+ * Fix tests to cope with updates in tzdata (Closes: #889117)
+ * Exclude Rinda TestRingFinger and TestRingServer test units requiring
+ network access (Closes: #898694)
+
+ [ Antonio Terceiro ]
+ * debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to
+ assumptions that don't hold on newer tzdata update. Upstream bug:
+ https://bugs.ruby-lang.org/issues/14655
+
+ -- Santiago R.R. <santiagorr@riseup.net> Thu, 19 Jul 2018 13:28:10 +0200
+
+ ruby2.3 (2.3.3-1+deb9u2) stretch-security; urgency=high
+
+ * asn1: fix out-of-bounds read in decoding constructed objects
+ [CVE-2017-14033] (Closes: #875928)
+ Original patch by Kazuki Yamaguchi; backported from the standalone openssl package
+ * lib/webrick/log.rb: sanitize any type of logs
+ [CVE-2017-10784] (Closes: #875931)
+ Original patch by Yusuke Endoh; backported to Ruby 2.3 by Usaku NAKAMURA
+ * fix Buffer underrun vulnerability in Kernel.sprintf
+ [CVE-2017-0898] (Closes: #875936)
+ Backported to Ruby 2.3 by Usaku NAKAMURA
+ * Whitelist classes and symbols that are in Gem spec YAML
+ [CVE-2017-0903] (Closes: #879231)
+ Original patch by Aaron Patterson; backported from the standalone Rubygems
+ package
+ * thread_pthread.c: do not wakeup inside child processes
+ Avoid child Ruby processed being stuck in a busy loop (Closes: #876377)
+ Original patch by Eric Wong
+
+ -- Antonio Terceiro <terceiro@debian.org> Sun, 22 Oct 2017 12:45:48 -0200
ruby2.3 (2.3.3-1+deb9u1) stretch-security; urgency=high
projects / ruby2.3.git / commitdiff