lp:ubuntu/feisty-security/ruby1.8
- Get this branch:
- bzr branch lp:ubuntu/feisty-security/ruby1.8
Branch merges
Branch information
Recent revisions
- 14. By Jamie Strandboge
-
* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
module (LP: #261459)
- debian/patches/ 953_CVE- 2008-3790. patch: adjust rexml/document.rb and
rexml/entity.rb to use expansion limits
- CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
service (LP: #246818)
- debian/patches/ 954_CVE- 2008-2376. patch: adjust array.c to properly
check argument length
- CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
socket
- debian/patches/ 955_CVE- 2008-3443. patch: adjust regex.c to not use ruby
managed memory and check for allocation failures
- CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
- debian/patches/ 956_CVE- 2008-3656. patch: update webrick/ httputils. rb to
properly check paths ending with '.'
- CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
requests (separate vulnerability from CVE-2008-1447)
- debian/patches/ 957_CVE- 2008-3905. patch: adjust resolv.rb to use
SecureRandom for transaction id and source port
- CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
- debian/patches/ 958_CVE- 2008-3657. patch: adjust rb_str_to_ptr and
rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
propogate taint and check taintness of DLPtrData
- CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
- debian/patches/ 959_CVE- 2008-3655. patch: use rb_secure(4) in variable.c
and syslog.c, check for secure level 3 or higher in eval.c and make
sure PROGRAM_NAME can't be modified
- CVE-2008-3655 - 13. By Jamie Strandboge
-
* SECURITY UPDATE: denial of service or arbitrary code execution via
integer overflows and memory corruption
* debian/patches/ 952_CVE- 2008-2662+ 2663+2664+ 2725+2726. patch: update array.c
to properly validate the size of an array. Update string.c and sprintf.c
for proper bounds checking
* References:
CVE-2008-2662
CVE-2008-2663
CVE-2008-2664
CVE-2008-2725
CVE-2008-2726
LP: #241657 - 12. By Stephan RĂ¼gamer
-
* SECURITY UPDATE: SSL connections did not check commonName early
enough, possibly allowing sensitive information to be exposed.
* debian/patches/ 950_CVE- 2007-5162. patch: upstream fixes, from
http://svn.ruby- lang.org/ cgi-bin/ viewvc. cgi?view= rev&revision= 13499
* debian/patches/ 951_CVE- 2007-5770. patch: upstream fixes, from
http://svn.ruby- lang.org/ cgi-bin/ viewvc. cgi?view= rev&revision= 13656
* References:
CVE-2007-5162 CVE-2007-5770 (LP: #149616) - 11. By Matthias Klose
-
* Rebuild for changes in the amd64 toolchain.
* Set Ubuntu maintainer address. - 10. By Fabio Massimo Di Nitto
-
* Merge from debian unstable, remaining changes:
- debian/patches/ 903_sparc_ fix_define. patch to fix runtime error on sparc. - 9. By Kees Cook
-
* SECURITY UPDATE: remote denial of service in CGI module.
* Add 'debian/patches/ 904_fix_ cgi_DoS. patch' patch from upstream.
* References
http://www.ruby- lang.org/ en/news/ 2006/12/ 04/another- dos-vulnerabili ty-in-cgi- library/
CVE-2006-6303 - 6. By Fabio Massimo Di Nitto
-
* Fix libruby sparc runtime illegal instructions:
- add patch debian/patches/ 903_sparc_ fix_define. patch
(Fix by David S. Miller) - 5. By akira yamada <email address hidden>
-
* akira yamada <email address hidden>
- new upstream version.
- removed debian/patches/ 100_1.8. 4-preview2+ .patch:
- included in upstream.
- added debian/patches/ 802_yaml_ symbol. patch:
- YAML loading of quoted symbols is broken (Closes: #344042)
- README.Debian improvement suggestion (Closes: #344293)
- debian/compat: compat level 4.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/ruby1.8