From: Raspbian forward pporter Date: Wed, 17 Oct 2018 11:05:04 +0000 (+0100) Subject: Merge version 2.3.3-1+deb9u1+rpi1 and 2.3.3-1+deb9u3 to produce 2.3.3-1+deb9u3+rpi1 X-Git-Tag: archive/raspbian/2.3.3-1+deb9u3+rpi1^0 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=0a39e02876a87f145062f2feeb1f10a4dfbb0a9c;p=ruby2.3.git Merge version 2.3.3-1+deb9u1+rpi1 and 2.3.3-1+deb9u3 to produce 2.3.3-1+deb9u3+rpi1 --- 0a39e02876a87f145062f2feeb1f10a4dfbb0a9c diff --cc debian/changelog index 2bfb711,a64eec5..ed5495d --- a/debian/changelog +++ b/debian/changelog @@@ -1,8 -1,67 +1,74 @@@ - ruby2.3 (2.3.3-1+deb9u1+rpi1) stretch-staging; urgency=medium ++ruby2.3 (2.3.3-1+deb9u3+rpi1) stretch-staging; urgency=medium + ++ [changes brought forward from 2.3.3-1+deb9u1+rpi1 by Peter Michael Green at Sat, 21 Oct 2017 22:40:37 +0000] + * Disable testsuite. + - -- Peter Michael Green Sat, 21 Oct 2017 22:40:37 +0000 ++ -- Raspbian forward porter Wed, 17 Oct 2018 11:05:04 +0000 ++ + ruby2.3 (2.3.3-1+deb9u3) stretch-security; urgency=medium + + [ Santiago R.R. ] + * Fix Command injection vulnerability in Net::FTP. + [CVE-2017-17405] + * webrick: use IO.copy_stream for multipart response. Required changes in + WEBrick to fix CVE-2017-17742 and CVE-2018-8777 + * Fix HTTP response splitting in WEBrick. + [CVE-2017-17742] + * Fix Command Injection in Hosts::new() by use of Kernel#open. + [CVE-2017-17790] + * Fix Unintentional directory traversal by poisoned NUL byte in Dir + [CVE-2018-8780] + * Fix multiple vulnerabilities in RubyGems. + CVE-2018-1000073: Prevent Path Traversal issue during gem installation. + CVE-2018-1000074: Fix possible Unsafe Object Deserialization + Vulnerability in gem owner. + CVE-2018-1000075: Strictly interpret octal fields in tar headers. + CVE-2018-1000076: Raise a security error when there are duplicate files + in a package. + CVE-2018-1000077: Enforce URL validation on spec homepage attribute. + CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when + displayed via gem server. + CVE-2018-1000079: Prevent path traversal when writing to a symlinked + basedir outside of the root. + * Fix directory traversal vulnerability in the Dir.mktmpdir method in the + tmpdir library + [CVE-2018-6914] + * Fix Unintentional socket creation by poisoned NUL byte in UNIXServer and + UNIXSocket + [CVE-2018-8779] + * Fix Buffer under-read in String#unpack + [CVE-2018-8778] + * Fix tests to cope with updates in tzdata (Closes: #889117) + * Exclude Rinda TestRingFinger and TestRingServer test units requiring + network access (Closes: #898694) + + [ Antonio Terceiro ] + * debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to + assumptions that don't hold on newer tzdata update. Upstream bug: + https://bugs.ruby-lang.org/issues/14655 + + -- Santiago R.R. Thu, 19 Jul 2018 13:28:10 +0200 + + ruby2.3 (2.3.3-1+deb9u2) stretch-security; urgency=high + + * asn1: fix out-of-bounds read in decoding constructed objects + [CVE-2017-14033] (Closes: #875928) + Original patch by Kazuki Yamaguchi; backported from the standalone openssl package + * lib/webrick/log.rb: sanitize any type of logs + [CVE-2017-10784] (Closes: #875931) + Original patch by Yusuke Endoh; backported to Ruby 2.3 by Usaku NAKAMURA + * fix Buffer underrun vulnerability in Kernel.sprintf + [CVE-2017-0898] (Closes: #875936) + Backported to Ruby 2.3 by Usaku NAKAMURA + * Whitelist classes and symbols that are in Gem spec YAML + [CVE-2017-0903] (Closes: #879231) + Original patch by Aaron Patterson; backported from the standalone Rubygems + package + * thread_pthread.c: do not wakeup inside child processes + Avoid child Ruby processed being stuck in a busy loop (Closes: #876377) + Original patch by Eric Wong + + -- Antonio Terceiro Sun, 22 Oct 2017 12:45:48 -0200 ruby2.3 (2.3.3-1+deb9u1) stretch-security; urgency=high