summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Moritz Mühlenhoff [Fri, 12 Apr 2019 18:28:46 +0000 (19:28 +0100)]
Merge ruby2.3 (2.3.3-1+deb9u6) import into refs/heads/workingbranch
Antonio Terceiro [Fri, 12 Apr 2019 18:28:46 +0000 (19:28 +0100)]
CVE-2019-8320-25
Backport of https://github.com/rubygems/rubygems/commit/
56c0bbb69e4506bda7ef7f447dfec5db820df20b
addressing, thanks to Leonidas S. Barbosa
CVE-2019-8320
CVE-2019-8321
CVE-2019-8322
CVE-2019-8323
CVE-2019-8324
CVE-2019-8325
Gbp-Pq: Name CVE-2019-8320-25.patch
Antonio Terceiro [Fri, 12 Apr 2019 18:28:46 +0000 (19:28 +0100)]
debian-changes
This patch file represents the entire difference between the package as shipped
by Debian and the official upstream sources. The goal is to maintain this file
as small as possible, avoiding non-upstreamed patches at all costs.
The Debian packaging is maintained in the following Git repository:
http://anonscm.debian.org/gitweb/?p=collab-maint/ruby.git
To obtain a view of the individual commits that affect non-Debian-specific
files, you can clone that repository, and from the master branch, run:
$ ./debian/upstream-changes
Gbp-Pq: Name debian-changes
Moritz Mühlenhoff [Fri, 12 Apr 2019 18:28:46 +0000 (19:28 +0100)]
ruby2.3 (2.3.3-1+deb9u6) stretch-security; urgency=medium
* CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324
* CVE-2019-8325
[dgit import unpatched ruby2.3 2.3.3-1+deb9u6]
Moritz Mühlenhoff [Fri, 12 Apr 2019 18:28:46 +0000 (19:28 +0100)]
Import ruby2.3_2.3.3-1+deb9u6.debian.tar.xz
[dgit import tarball ruby2.3 2.3.3-1+deb9u6 ruby2.3_2.3.3-1+deb9u6.debian.tar.xz]
Salvatore Bonaccorso [Sun, 28 Oct 2018 20:49:57 +0000 (20:49 +0000)]
Merge ruby2.3 (2.3.3-1+deb9u4) import into refs/heads/workingbranch
Antonio Terceiro [Sun, 28 Oct 2018 20:49:57 +0000 (20:49 +0000)]
debian-changes
This patch file represents the entire difference between the package as shipped
by Debian and the official upstream sources. The goal is to maintain this file
as small as possible, avoiding non-upstreamed patches at all costs.
The Debian packaging is maintained in the following Git repository:
http://anonscm.debian.org/gitweb/?p=collab-maint/ruby.git
To obtain a view of the individual commits that affect non-Debian-specific
files, you can clone that repository, and from the master branch, run:
$ ./debian/upstream-changes
Gbp-Pq: Name debian-changes
Salvatore Bonaccorso [Sun, 28 Oct 2018 20:49:57 +0000 (20:49 +0000)]
ruby2.3 (2.3.3-1+deb9u4) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* OpenSSL::X509::Name equality check does not work correctly
(CVE-2018-16395)
* pack.c: avoid returning uninitialized String
* Tainted flags are not propagated in Array#pack and String#unpack with some
directives (CVE-2018-16396)
[dgit import unpatched ruby2.3 2.3.3-1+deb9u4]
Salvatore Bonaccorso [Sun, 28 Oct 2018 20:49:57 +0000 (20:49 +0000)]
Import ruby2.3_2.3.3-1+deb9u4.debian.tar.xz
[dgit import tarball ruby2.3 2.3.3-1+deb9u4 ruby2.3_2.3.3-1+deb9u4.debian.tar.xz]
Santiago R.R. [Thu, 19 Jul 2018 11:28:10 +0000 (12:28 +0100)]
Merge ruby2.3 (2.3.3-1+deb9u3) import into refs/heads/workingbranch
Antonio Terceiro [Thu, 19 Jul 2018 11:28:10 +0000 (12:28 +0100)]
debian-changes
This patch file represents the entire difference between the package as shipped
by Debian and the official upstream sources. The goal is to maintain this file
as small as possible, avoiding non-upstreamed patches at all costs.
The Debian packaging is maintained in the following Git repository:
http://anonscm.debian.org/gitweb/?p=collab-maint/ruby.git
To obtain a view of the individual commits that affect non-Debian-specific
files, you can clone that repository, and from the master branch, run:
$ ./debian/upstream-changes
Gbp-Pq: Name debian-changes
Santiago R.R. [Thu, 19 Jul 2018 11:28:10 +0000 (12:28 +0100)]
ruby2.3 (2.3.3-1+deb9u3) stretch-security; urgency=medium
[ Santiago R.R. ]
* Fix Command injection vulnerability in Net::FTP.
[CVE-2017-17405]
* webrick: use IO.copy_stream for multipart response. Required changes in
WEBrick to fix CVE-2017-17742 and CVE-2018-8777
* Fix HTTP response splitting in WEBrick.
[CVE-2017-17742]
* Fix Command Injection in Hosts::new() by use of Kernel#open.
[CVE-2017-17790]
* Fix Unintentional directory traversal by poisoned NUL byte in Dir
[CVE-2018-8780]
* Fix multiple vulnerabilities in RubyGems.
CVE-2018-
1000073: Prevent Path Traversal issue during gem installation.
CVE-2018-
1000074: Fix possible Unsafe Object Deserialization
Vulnerability in gem owner.
CVE-2018-
1000075: Strictly interpret octal fields in tar headers.
CVE-2018-
1000076: Raise a security error when there are duplicate files
in a package.
CVE-2018-
1000077: Enforce URL validation on spec homepage attribute.
CVE-2018-
1000078: Mitigate XSS vulnerability in homepage attribute when
displayed via gem server.
CVE-2018-
1000079: Prevent path traversal when writing to a symlinked
basedir outside of the root.
* Fix directory traversal vulnerability in the Dir.mktmpdir method in the
tmpdir library
[CVE-2018-6914]
* Fix Unintentional socket creation by poisoned NUL byte in UNIXServer and
UNIXSocket
[CVE-2018-8779]
* Fix Buffer under-read in String#unpack
[CVE-2018-8778]
* Fix tests to cope with updates in tzdata (Closes: #889117)
* Exclude Rinda TestRingFinger and TestRingServer test units requiring
network access (Closes: #898694)
[ Antonio Terceiro ]
* debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to
assumptions that don't hold on newer tzdata update. Upstream bug:
https://bugs.ruby-lang.org/issues/14655
[dgit import unpatched ruby2.3 2.3.3-1+deb9u3]
Santiago R.R. [Thu, 19 Jul 2018 11:28:10 +0000 (12:28 +0100)]
Import ruby2.3_2.3.3-1+deb9u3.debian.tar.xz
[dgit import tarball ruby2.3 2.3.3-1+deb9u3 ruby2.3_2.3.3-1+deb9u3.debian.tar.xz]
Antonio Terceiro [Sat, 2 Sep 2017 18:11:07 +0000 (19:11 +0100)]
debian-changes
This patch file represents the entire difference between the package as shipped
by Debian and the official upstream sources. The goal is to maintain this file
as small as possible, avoiding non-upstreamed patches at all costs.
The Debian packaging is maintained in the following Git repository:
http://anonscm.debian.org/gitweb/?p=collab-maint/ruby.git
To obtain a view of the individual commits that affect non-Debian-specific
files, you can clone that repository, and from the master branch, run:
$ ./debian/upstream-changes
Gbp-Pq: Name debian-changes
Antonio Terceiro [Sat, 2 Sep 2017 18:11:07 +0000 (19:11 +0100)]
ruby2.3 (2.3.3-1+deb9u1) stretch-security; urgency=high
* Fix arbitrary heap exposure problem in the JSON library (Closes: #873906)
[CVE-2017-14064]
- Backported for Ruby 2.3 by Hiroshi SHIBATA <hsbt@ruby-lang.org>
https://bugs.ruby-lang.org/issues/13853
* Fix multiple security vulnerabilities in Rubygems (Closes: #873802)
- Fix a DNS request hijacking vulnerability. Discovered by Jonathan
Claudius, fix by Samuel Giddins.
[CVE-2017-0902]
- Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh,
fix by Evan Phoenix.
[CVE-2017-0899]
- Fix a DOS vulernerability in the query command. Discovered by Yusuke
Endoh, fix by Samuel Giddins.
[CVE-2017-0900]
- Fix a vulnerability in the gem installer that allowed a malicious gem to
overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel
Giddins.
[CVE-2017-0901]
* Fix SMTP comment injection (Closes: #864860)
Patch by Shugo Maeda <shugo@ruby-lang.org>
[CVE-2015-9096]
* Fix IV Reuse in GCM Mode (Closes: #842432)
Patch by Kazuki Yamaguchi <k@rhe.jp>
[CVE-2016-7798]
[dgit import unpatched ruby2.3 2.3.3-1+deb9u1]
Antonio Terceiro [Sat, 2 Sep 2017 18:11:07 +0000 (19:11 +0100)]
Import ruby2.3_2.3.3-1+deb9u1.debian.tar.xz
[dgit import tarball ruby2.3 2.3.3-1+deb9u1 ruby2.3_2.3.3-1+deb9u1.debian.tar.xz]
Christian Hofstaedtler [Tue, 22 Nov 2016 12:32:41 +0000 (12:32 +0000)]
Import ruby2.3_2.3.3.orig.tar.xz
[dgit import orig ruby2.3_2.3.3.orig.tar.xz]
projects / ruby2.3.git / log