Author: Tyler Hicks
Revision Date: 2012-02-29 12:11:48 UTC

* SECURITY UPDATE: Denial of service via crafted hash table keys
  (LP: #943451)
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-29 12:11:48 UTC

* SECURITY UPDATE: Denial of service via crafted hash table keys
  (LP: #943451)
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-29 12:11:48 UTC

* SECURITY UPDATE: Denial of service via crafted hash table keys
  (LP: #943451)
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-29 12:11:48 UTC

* SECURITY UPDATE: Denial of service via crafted hash table keys
  (LP: #943451)
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-29 12:11:48 UTC

* SECURITY UPDATE: Denial of service via crafted hash table keys
  (LP: #943451)
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-29 12:11:48 UTC

* SECURITY UPDATE: Denial of service via crafted hash table keys
  (LP: #943451)
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-29 12:11:48 UTC

* SECURITY UPDATE: Denial of service via crafted hash table keys
  (LP: #943451)
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-21 16:28:51 UTC

* SECURITY UPDATE: Denial of service via crafted hash table keys
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-21 16:28:51 UTC

* SECURITY UPDATE: Denial of service via crafted hash table keys
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-21 16:28:51 UTC

* SECURITY UPDATE: Arbitrary code execution and denial of service
  - debian/patches/CVE-2011-0188.patch: Remove cast to prevent memory
    corruption during allocation. Based on upstream patch.
  - CVE-2011-0188
* SECURITY UPDATE: Arbitrary file deletion due to symlink race
  - debian/patches/CVE-2011-1004.patch: Unlink the symlink rather
    than recursively removing everything underneath the symlink
    destination. Based on upstream patch.
  - CVE-2011-1004
* SECURITY UPDATE: Safe level bypass
  - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint
    in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* SECURITY UPDATE: Predictable random number generation
  - debian/patches/CVE-2011-2686.patch: Reseed the random number
    generator each time a child process is created. Based on upstream
    patch.
  - CVE-2011-2686
* SECURITY UPDATE: Predicatable random number generation
  - debian/patches/CVE-2011-2705.patch: Reseed the random number
    generator with the pid number and the current time to prevent
    predictable random numbers in the case of pid number rollover. Based on
    upstream patch.
  - CVE-2011-2705
* SECURITY UPDATE: Denial of service via crafted hash table keys
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Marc Deslauriers
Revision Date: 2009-07-15 11:49:36 UTC

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/906_security_CVE-2009-0642.dpatch: also check for -1
    return code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/907_security_CVE-2009-1904.dpatch: handle large
    numbers properly in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

Author: Jamie Strandboge
Revision Date: 2008-10-09 08:47:35 UTC

* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
  module (LP: #261459)
  - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
    rexml/entity.rb to use expansion limits
  - CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
  service (LP: #246818)
  - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
    check argument length
  - CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
  socket
  - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
    managed memory and check for allocation failures
  - CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
  - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
    properly check paths ending with '.'
  - CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
  requests (separate vulnerability from CVE-2008-1447)
  - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
    SecureRandom for transaction id and source port
  - CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
  - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
    rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
    propogate taint and check taintness of DLPtrData
  - CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
  - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
    and syslog.c, check for secure level 3 or higher in eval.c and make
    sure PROGRAM_NAME can't be modified
  - CVE-2008-3655

Author: Tyler Hicks
Revision Date: 2012-02-21 16:28:51 UTC

* SECURITY UPDATE: Arbitrary code execution and denial of service
  - debian/patches/CVE-2011-0188.patch: Remove cast to prevent memory
    corruption during allocation. Based on upstream patch.
  - CVE-2011-0188
* SECURITY UPDATE: Arbitrary file deletion due to symlink race
  - debian/patches/CVE-2011-1004.patch: Unlink the symlink rather
    than recursively removing everything underneath the symlink
    destination. Based on upstream patch.
  - CVE-2011-1004
* SECURITY UPDATE: Safe level bypass
  - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint
    in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* SECURITY UPDATE: Predictable random number generation
  - debian/patches/CVE-2011-2686.patch: Reseed the random number
    generator each time a child process is created. Based on upstream
    patch.
  - CVE-2011-2686
* SECURITY UPDATE: Predicatable random number generation
  - debian/patches/CVE-2011-2705.patch: Reseed the random number
    generator with the pid number and the current time to prevent
    predictable random numbers in the case of pid number rollover. Based on
    upstream patch.
  - CVE-2011-2705
* SECURITY UPDATE: Denial of service via crafted hash table keys
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Marc Deslauriers
Revision Date: 2009-07-15 13:06:03 UTC

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/904_security_CVE-2009-0642.dpatch: also check for -1
    return code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/905_security_CVE-2009-1904.dpatch: handle large
    numbers properly in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

Author: Tyler Hicks
Revision Date: 2012-02-21 16:28:51 UTC

* SECURITY UPDATE: Cross-site scripting via HTTP error responses
  - debian/patches/CVE-2010-0541.patch: Use the ISO-8859-1 character
    set for HTTP error responses. Based on upstream patch.
  - CVE-2010-0541
* SECURITY UPDATE: Arbitrary code execution and denial of service
  - debian/patches/CVE-2011-0188.patch: Remove cast to prevent memory
    corruption during allocation. Based on upstream patch.
  - CVE-2011-0188
* SECURITY UPDATE: Arbitrary file deletion due to symlink race
  - debian/patches/CVE-2011-1004.patch: Unlink the symlink rather
    than recursively removing everything underneath the symlink
    destination. Based on upstream patch.
  - CVE-2011-1004
* SECURITY UPDATE: Safe level bypass
  - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint
    in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* SECURITY UPDATE: Predictable random number generation
  - debian/patches/CVE-2011-2686.patch: Reseed the random number
    generator each time a child process is created. Based on upstream
    patch.
  - CVE-2011-2686
* SECURITY UPDATE: Predicatable random number generation
  - debian/patches/CVE-2011-2705.patch: Reseed the random number
    generator with the pid number and the current time to prevent
    predictable random numbers in the case of pid number rollover. Based on
    upstream patch.
  - CVE-2011-2705
* SECURITY UPDATE: Denial of service via crafted hash table keys
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Bryan McLellan
Revision Date: 2009-12-01 03:33:13 UTC

* Added debian/patches/091125_gc_check.dpatch: Avoid segv on gc run whe
  heap fills up with deferred objects. (LP: #488115)
* Added debian/patches/090812_class_clone_segv.dpatch: avoid segv when an
  object cloned. (LP: #484756)

Author: Tyler Hicks
Revision Date: 2012-02-21 16:28:51 UTC

* SECURITY UPDATE: Cross-site scripting via HTTP error responses
  - debian/patches/CVE-2010-0541.patch: Use the ISO-8859-1 character
    set for HTTP error responses. Based on upstream patch.
  - CVE-2010-0541
* SECURITY UPDATE: Arbitrary code execution and denial of service
  - debian/patches/CVE-2011-0188.patch: Remove cast to prevent memory
    corruption during allocation. Based on upstream patch.
  - CVE-2011-0188
* SECURITY UPDATE: Arbitrary file deletion due to symlink race
  - debian/patches/CVE-2011-1004.patch: Unlink the symlink rather
    than recursively removing everything underneath the symlink
    destination. Based on upstream patch.
  - CVE-2011-1004
* SECURITY UPDATE: Safe level bypass
  - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint
    in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* SECURITY UPDATE: Predictable random number generation
  - debian/patches/CVE-2011-2686.patch: Reseed the random number
    generator each time a child process is created. Based on upstream
    patch.
  - CVE-2011-2686
* SECURITY UPDATE: Predicatable random number generation
  - debian/patches/CVE-2011-2705.patch: Reseed the random number
    generator with the pid number and the current time to prevent
    predictable random numbers in the case of pid number rollover. Based on
    upstream patch.
  - CVE-2011-2705
* SECURITY UPDATE: Denial of service via crafted hash table keys
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-21 16:28:51 UTC

* SECURITY UPDATE: Cross-site scripting via HTTP error responses
  - debian/patches/CVE-2010-0541.patch: Use the ISO-8859-1 character
    set for HTTP error responses. Based on upstream patch.
  - CVE-2010-0541
* SECURITY UPDATE: Arbitrary code execution and denial of service
  - debian/patches/CVE-2011-0188.patch: Remove cast to prevent memory
    corruption during allocation. Based on upstream patch.
  - CVE-2011-0188
* SECURITY UPDATE: Arbitrary file deletion due to symlink race
  - debian/patches/CVE-2011-1004.patch: Unlink the symlink rather
    than recursively removing everything underneath the symlink
    destination. Based on upstream patch.
  - CVE-2011-1004
* SECURITY UPDATE: Safe level bypass
  - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint
    in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* SECURITY UPDATE: Predictable random number generation
  - debian/patches/CVE-2011-2686.patch: Reseed the random number
    generator each time a child process is created. Based on upstream
    patch.
  - CVE-2011-2686
* SECURITY UPDATE: Predicatable random number generation
  - debian/patches/CVE-2011-2705.patch: Reseed the random number
    generator with the pid number and the current time to prevent
    predictable random numbers in the case of pid number rollover. Based on
    upstream patch.
  - CVE-2011-2705
* SECURITY UPDATE: Denial of service via crafted hash table keys
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Tyler Hicks
Revision Date: 2012-02-21 16:28:51 UTC

* SECURITY UPDATE: Cross-site scripting via HTTP error responses
  - debian/patches/CVE-2010-0541.patch: Use the ISO-8859-1 character
    set for HTTP error responses. Based on upstream patch.
  - CVE-2010-0541
* SECURITY UPDATE: Arbitrary code execution and denial of service
  - debian/patches/CVE-2011-0188.patch: Remove cast to prevent memory
    corruption during allocation. Based on upstream patch.
  - CVE-2011-0188
* SECURITY UPDATE: Arbitrary file deletion due to symlink race
  - debian/patches/CVE-2011-1004.patch: Unlink the symlink rather
    than recursively removing everything underneath the symlink
    destination. Based on upstream patch.
  - CVE-2011-1004
* SECURITY UPDATE: Safe level bypass
  - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint
    in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* SECURITY UPDATE: Predictable random number generation
  - debian/patches/CVE-2011-2686.patch: Reseed the random number
    generator each time a child process is created. Based on upstream
    patch.
  - CVE-2011-2686
* SECURITY UPDATE: Predicatable random number generation
  - debian/patches/CVE-2011-2705.patch: Reseed the random number
    generator with the pid number and the current time to prevent
    predictable random numbers in the case of pid number rollover. Based on
    upstream patch.
  - CVE-2011-2705
* SECURITY UPDATE: Denial of service via crafted hash table keys
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Bryan McLellan
Revision Date: 2009-12-01 03:33:13 UTC

* Added debian/patches/091125_gc_check.dpatch: Avoid segv on gc run whe
  heap fills up with deferred objects. (LP: #488115)
* Added debian/patches/090812_class_clone_segv.dpatch: avoid segv when an
  object cloned. (LP: #484756)

Author: akira yamada
Revision Date: 2009-01-06 10:56:56 UTC

* applied debian/patches/905_class_dup_should_copy_constants.dpatch:
  - Class#dup should copy constants into the duplicated class.
    (closes: #506344)

Author: Tyler Hicks
Revision Date: 2012-02-29 12:11:48 UTC

* SECURITY UPDATE: Denial of service via crafted hash table keys
  (LP: #943451)
  - debian/patches/CVE-2011-4815.patch: Add randomness to the key hashing
    algorithm to prevent predictable results when inserting objects into a
    hash table. Based on upstream patch.
  - CVE-2011-4815

Author: Lucas Nussbaum
Revision Date: 2008-09-10 10:27:45 UTC

* New upstream release.
  - many patches in 1.8.7.22-4 were simply backported from upstream SVN, and
    are integrated into that release. We drop those:
    + 103_array_c_r17472_to_r17756.dpatch
    + 810_ruby187p22_fixes.dpatch
    + 811_multiple_vuln_200808.dpatch
  - Fixes the following security issues: (Closes: #494401)
    * Several vulnerabilities in safe level
    * DoS vulnerability in WEBrick
    * Lack of taintness check in dl
    * DNS spoofing vulnerability in resolv.rb (CVE-2008-1447)
* Applied debian/patches/168_rexml_dos.dpatch:
  Fix CVE-2008-3790 (REXML expansion DOS). Closes: #496808.

Author: Michael Vogt
Revision Date: 2007-11-23 16:08:57 UTC

* Merge from debian unstable, remaining changes:
  - Adjust configure options for lpia.
  - add -g when build with noopt

Author: LaMont Jones
Revision Date: 2007-10-04 12:23:01 UTC

Trigger rebuild for hppa

Author: Matthias Klose
Revision Date: 2007-03-05 01:26:02 UTC

* Rebuild for changes in the amd64 toolchain.
* Set Ubuntu maintainer address.

Author: Fabio Massimo Di Nitto
Revision Date: 2006-07-04 09:42:14 UTC

Merge from debian unstable.

Author: Fabio Massimo Di Nitto
Revision Date: 2006-03-17 10:32:22 UTC

* Fix libruby sparc runtime illegal instructions:
  - add patch debian/patches/903_sparc_fix_define.patch
(Fix by David S. Miller)

Author: Martin Pitt
Revision Date: 2005-10-07 16:41:19 UTC

* SECURITY UPDATE: Fix safe_mode bypass.
* Add debian/patches/910_safe_mode_bypass.patch:
  - eval.c, rb_add_method(): Preserve safe level in the environment where a
    method is defined.
  - eval.c, rb_call0(): Restore preserved safe level in the method
    execution.
  - References:
    http://www.ruby-lang.org/en/20051003.html
    ftp://ftp.ruby-lang.org/pub/ruby/1.8/1.8.2-patch1.gz

Author: akira yamada
Revision Date: 2004-12-23 12:51:28 UTC

* akira yamada <akira@debian.org>
- new upstream version, 1.8.2 preview4:
    - removed debian/patches/{10[01]_cvs_updates.patch,802_socket.c.patch,
      803_rexml_shiftjis.patch}. they ware included 1.8.2 preview4.
    - (urgency high) fixed segv bugs:
        - sprintf dumps core. [ruby-dev:25104]
        - DBM#select dumps core. [ruby-dev:25132]
        - Socket#listen dumps core. [ruby-dev:25149]
        - IO#reopen dumps core. [ruby-dev:25150]
        - OpenSSL::Digest::Digest.new dumps core.
          [ruby-dev:25187][ruby-dev:25198]
        - Dir.foreach dumps core. [ruby-dev:25242]
        - Zlib::Deflate.deflate dumps core. [ruby-dev:25226]
        - Struct.new dumps core. [ruby-dev:25249]
        - IO#eof? dumps core. [ruby-dev:25251]
        - OpenSSL::ASN1.traverse dumps core.
          [ruby-dev:25261][ruby-dev:25261]
        - DL::Symbol.new dumps core. [ruby-dev:25271]
    - fixed bugs:
        - removed debug print for jcode.rb. [ruby-dev:25156]
        - serializes un-serializeable remote exceptions as DRbRemoteError.
          [ruby-list:40390]
        - IO.open could not handle 'w+' mode. (closes: #283030)
        - (urgench high) temporal locking already locked string on
          simultaneous write. [ruby-dev:25050] (closes: #286195)
- added debian/patches/100_cvs_updates.patch:
    - IO#reopen restores exact mode. [ruby-core:04003]
- added debian/patches/801_syck_segv.patch:
    - YAML::Syck::Parser#load dumps core. [ruby-core:03973]
- debian/rules: configure with --disable-rpath.

Author: akira yamada
Revision Date: 2004-08-24 21:41:42 UTC

* akira yamada <akira@debian.org>
- added debian/patches/101_cvs_updates.patch:
    - "IO.allocate.reopen('/nothing')" on irb causes SEGV.
      [ruby-core:03288]
    - (urgency high) CGI::Session::FilesStore and CGI::Session::PStore
      should not use a session id as a filename. (closes: #267753)
- added debian/patches/818_instance_eval.patch:
    - core dump with binding, eval, instance_eval and class variable.
      [ruby-dev:24120]
- removed debian/patches/814_syck_8bit_clean.patch,
  debian/patches/815_openssl_select.patch,
  debian/patches/816_exception_slowdown.patch and
  debian/patches/817_ruby-mode.el_fixtypo.patch:
    - included into upstream source.

Author: Lucas Nussbaum
Revision Date: 2011-07-24 12:30:48 UTC

Add -fno-tree-sra on armel. Workaround that Closes: #634260

Author: Lucas Nussbaum
Revision Date: 2010-09-01 12:08:48 UTC

Add debian/patches/100901_threading_fixes.patch. Fixes threading
problems on Debian GNU/kFreeBSD exhibited by puppet.
Thanks to Petr Salinger and Aurélien Jarno. Closes: #595034

Author: Lucas Nussbaum
Revision Date: 2010-07-30 17:45:14 UTC

* Convert from dpatch to quilt using dpatch2quilt.sh
* Add patch 100730_disable_getsetcontext_on_nptl: disable getsetcontext on
  NPTL. LP: #307462, Closes: #579229
* Added 100730_verbose-tests.patch: run tests in verbose mode.
* Run make test-all, but do not consider failures fatal for now.
* Upgrade to Standards-Version: 3.9.1. No changes needed.
* Deal with Ubuntu changing the GCC target to i686-linux-gnu: search
  for libs in i486-linux too. LP: #611322.

Author: Lucas Nussbaum
Revision Date: 2010-03-12 07:13:47 UTC

Add 100312_timeout-fix.dpatch: Backport upstream change to fix
problem with threads and timeouts. Closes: #539987

Author: Marc Deslauriers
Revision Date: 2009-07-15 10:38:14 UTC

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/906_security_CVE-2009-0642.dpatch: also check for -1
    return code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/907_security_CVE-2009-1904.dpatch: handle large
    numbers properly in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

Author: Marc Deslauriers
Revision Date: 2009-07-15 11:49:36 UTC

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/906_security_CVE-2009-0642.dpatch: also check for -1
    return code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/907_security_CVE-2009-1904.dpatch: handle large
    numbers properly in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

Author: Marc Deslauriers
Revision Date: 2009-07-15 10:38:14 UTC

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/906_security_CVE-2009-0642.dpatch: also check for -1
    return code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/907_security_CVE-2009-1904.dpatch: handle large
    numbers properly in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

Author: Marc Deslauriers
Revision Date: 2009-07-15 13:31:57 UTC

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/924_CVE-2009-0642.patch: also check for -1 return
    code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/925_CVE-2009-1904.patch: handle large numbers properly
    in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

Author: Marc Deslauriers
Revision Date: 2009-07-15 13:31:57 UTC

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/924_CVE-2009-0642.patch: also check for -1 return
    code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/925_CVE-2009-1904.patch: handle large numbers properly
    in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

Author: Marc Deslauriers
Revision Date: 2009-07-15 13:06:03 UTC

* SECURITY UPDATE: certificate spoofing via invalid return value check
  in OCSP_basic_verify
  - debian/patches/904_security_CVE-2009-0642.dpatch: also check for -1
    return code in ext/openssl/ossl_ocsp.c.
  - CVE-2009-0642
* SECURITY UPDATE: denial of service in BigDecimal library via string
  argument that represents a large number (LP: #385436)
  - debian/patches/905_security_CVE-2009-1904.dpatch: handle large
    numbers properly in ext/bigdecimal/bigdecimal.c.
  - CVE-2009-1904

Author: Jamie Strandboge
Revision Date: 2008-11-20 13:24:03 UTC

debian/patches/905_short_named_constants.dpatch: Fix for short-named
constants regression (LP: #282302)

Author: Jamie Strandboge
Revision Date: 2008-10-09 08:47:35 UTC

* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
  module (LP: #261459)
  - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
    rexml/entity.rb to use expansion limits
  - CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
  service (LP: #246818)
  - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
    check argument length
  - CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
  socket
  - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
    managed memory and check for allocation failures
  - CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
  - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
    properly check paths ending with '.'
  - CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
  requests (separate vulnerability from CVE-2008-1447)
  - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
    SecureRandom for transaction id and source port
  - CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
  - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
    rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
    propogate taint and check taintness of DLPtrData
  - CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
  - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
    and syslog.c, check for secure level 3 or higher in eval.c and make
    sure PROGRAM_NAME can't be modified
  - CVE-2008-3655

Author: Jamie Strandboge
Revision Date: 2008-10-09 09:28:03 UTC

* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
  module (LP: #261459)
  - debian/patches/953_CVE-2008-3790.patch: adjust rexml/document.rb and
    rexml/entity.rb to use expansion limits
  - CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
  service (LP: #246818)
  - debian/patches/954_CVE-2008-2376.patch: adjust array.c to properly
    check argument length
  - CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
  socket
  - debian/patches/955_CVE-2008-3443.patch: adjust regex.c to not use ruby
    managed memory and check for allocation failures
  - CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
  - debian/patches/956_CVE-2008-3656.patch: update webrick/httputils.rb to
    properly check paths ending with '.'
  - CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
  requests (separate vulnerability from CVE-2008-1447)
  - debian/patches/957_CVE-2008-3905.patch: adjust resolv.rb to use
    SecureRandom for transaction id and source port
  - CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
  - debian/patches/958_CVE-2008-3657.patch: adjust rb_str_to_ptr and
    rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
    propogate taint and check taintness of DLPtrData
  - CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
  - debian/patches/959_CVE-2008-3655.patch: use rb_secure(4) in variable.c
    and syslog.c, check for secure level 3 or higher in eval.c and make
    sure PROGRAM_NAME can't be modified
  - CVE-2008-3655

Author: Stephan Rügamer
Revision Date: 2007-11-13 19:42:37 UTC

* SECURITY UPDATE: SSL connections did not check commonName early
  enough, possibly allowing sensitive information to be exposed.
* debian/patches/915_CVE-2007-5162.patch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
* debian/patches/915_CVE-2007-5770.patch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
* References:
  CVE-2007-5162 CVE-2007-5770 (LP: #149616)

Author: Jamie Strandboge
Revision Date: 2008-10-09 09:28:03 UTC

* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
  module (LP: #261459)
  - debian/patches/953_CVE-2008-3790.patch: adjust rexml/document.rb and
    rexml/entity.rb to use expansion limits
  - CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
  service (LP: #246818)
  - debian/patches/954_CVE-2008-2376.patch: adjust array.c to properly
    check argument length
  - CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
  socket
  - debian/patches/955_CVE-2008-3443.patch: adjust regex.c to not use ruby
    managed memory and check for allocation failures
  - CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
  - debian/patches/956_CVE-2008-3656.patch: update webrick/httputils.rb to
    properly check paths ending with '.'
  - CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
  requests (separate vulnerability from CVE-2008-1447)
  - debian/patches/957_CVE-2008-3905.patch: adjust resolv.rb to use
    SecureRandom for transaction id and source port
  - CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
  - debian/patches/958_CVE-2008-3657.patch: adjust rb_str_to_ptr and
    rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
    propogate taint and check taintness of DLPtrData
  - CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
  - debian/patches/959_CVE-2008-3655.patch: use rb_secure(4) in variable.c
    and syslog.c, check for secure level 3 or higher in eval.c and make
    sure PROGRAM_NAME can't be modified
  - CVE-2008-3655

Author: Stephan Rügamer
Revision Date: 2007-11-13 19:42:37 UTC

* SECURITY UPDATE: SSL connections did not check commonName early
  enough, possibly allowing sensitive information to be exposed.
* debian/patches/915_CVE-2007-5162.patch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
* debian/patches/915_CVE-2007-5770.patch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
* References:
  CVE-2007-5162 CVE-2007-5770 (LP: #149616)

Author: Kees Cook
Revision Date: 2006-12-07 14:41:37 UTC

* SECURITY UPDATE: remote denial of service in CGI module.
* Add 'debian/patches/914_CVE-2006-6303' patch from upstream.
* References
  http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
  CVE-2006-6303

Author: Ubuntu Archive Auto-Sync
Revision Date: 2005-08-22 17:41:09 UTC

Automated backport upload; no source changes.

Author: Kees Cook
Revision Date: 2006-10-27 16:09:26 UTC

* SECURITY UPDATE: remote denial of service in CGI module.
* Add 'debian/patches/913_CVE-2006-5467' patch from upstream.
* References
  http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
  CVE-2006-5467

Author: Martin Pitt
Revision Date: 2006-04-24 11:12:53 UTC

* SECURITY UPDATE: Remote DoS in applications that use the HTTP module.
* Add debian/patches/911_webrick_dos.patch:
  - Use nonblocking sockets for HTTP servers.
  - Patch backported from 1.8.4.
* CVE-2006-1931

Author: daigo
Revision Date: 2009-06-16 23:16:51 UTC

New upstream release.