lp:ubuntu/gutsy-security/ruby1.8

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

23. By Jamie Strandboge on 2008-10-09

* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
  module (LP: #261459)
  - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
    rexml/entity.rb to use expansion limits
  - CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
  service (LP: #246818)
  - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
    check argument length
  - CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
  socket
  - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
    managed memory and check for allocation failures
  - CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
  - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
    properly check paths ending with '.'
  - CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
  requests (separate vulnerability from CVE-2008-1447)
  - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
    SecureRandom for transaction id and source port
  - CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
  - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
    rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
    propogate taint and check taintness of DLPtrData
  - CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
  - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
    and syslog.c, check for secure level 3 or higher in eval.c and make
    sure PROGRAM_NAME can't be modified
  - CVE-2008-3655

22. By Jamie Strandboge on 2008-06-25

* SECURITY UPDATE: denial of service or arbitrary code execution via
  integer overflows and memory corruption
* debian/patches/102_CVE-2008-2662+2663+2664+2725+2726.dpatch: update
  array.c to properly validate the size of an array. Update string.c and
  sprintf.c for proper bounds checking
* References:
  CVE-2008-2662
  CVE-2008-2663
  CVE-2008-2664
  CVE-2008-2725
  CVE-2008-2726
  LP: #241657

21. By Stephan Rügamer on 2007-11-13

* SECURITY UPDATE: SSL connections did not check commonName early
  enough, possibly allowing sensitive information to be exposed.
* debian/patches/100_CVE-2007-5162.dpatch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
* debian/patches/101_CVE-2007-5770.dpatch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
* References:
  CVE-2007-5162 CVE-2007-5770 (LP: #149616)

20. By Jamie Strandboge on 2008-10-09

* SECURITY UPDATE: denial of service via resource exhaustion in the REXML
  module (LP: #261459)
  - debian/patches/103_CVE-2008-3790.dpatch: adjust rexml/document.rb and
    rexml/entity.rb to use expansion limits
  - CVE-2008-3790
* SECURITY UPDATE: integer overflow in rb_ary_fill may cause denial of
  service (LP: #246818)
  - debian/patches/104_CVE-2008-2376.dpatch: adjust array.c to properly
    check argument length
  - CVE-2008-2376
* SECURITY UPDATE: denial of service via multiple long requests to a Ruby
  socket
  - debian/patches/105_CVE-2008-3443.dpatch: adjust regex.c to not use ruby
    managed memory and check for allocation failures
  - CVE-2008-3443
* SECURITY UPDATE: denial of service via crafted HTTP request (LP: #257122)
  - debian/patches/106_CVE-2008-3656.dpatch: update webrick/httputils.rb to
    properly check paths ending with '.'
  - CVE-2008-3656
* SECURITY UPDATE: predictable transaction id and source port for DNS
  requests (separate vulnerability from CVE-2008-1447)
  - debian/patches/107_CVE-2008-3905.dpatch: adjust resolv.rb to use
    SecureRandom for transaction id and source port
  - CVE-2008-3905
* SECURITY UPDATE: safe level bypass via DL.dlopen
  - debian/patches/108_CVE-2008-3657.dpatch: adjust rb_str_to_ptr and
    rb_ary_to_ptr in ext/dl/dl.c and rb_dlsym_call in ext/dl/sym.c to
    propogate taint and check taintness of DLPtrData
  - CVE-2008-3657
* SECURITY UPDATE: safe level bypass via multiple vectors
  - debian/patches/109_CVE-2008-3655.dpatch: use rb_secure(4) in variable.c
    and syslog.c, check for secure level 3 or higher in eval.c and make
    sure PROGRAM_NAME can't be modified
  - CVE-2008-3655

19. By Jamie Strandboge on 2008-06-25

* SECURITY UPDATE: denial of service or arbitrary code execution via
  integer overflows and memory corruption
* debian/patches/102_CVE-2008-2662+2663+2664+2725+2726.dpatch: update
  array.c to properly validate the size of an array. Update string.c and
  sprintf.c for proper bounds checking
* References:
  CVE-2008-2662
  CVE-2008-2663
  CVE-2008-2664
  CVE-2008-2725
  CVE-2008-2726
  LP: #241657

18. By Stephan Rügamer on 2007-11-13

* SECURITY UPDATE: SSL connections did not check commonName early
  enough, possibly allowing sensitive information to be exposed.
* debian/patches/100_CVE-2007-5162.dpatch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
* debian/patches/101_CVE-2007-5770.dpatch: upstream fixes, from
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
* References:
  CVE-2007-5162 CVE-2007-5770 (LP: #149616)

17. By LaMont Jones on 2007-10-04

Trigger rebuild for hppa

16. By Matthias Klose on 2007-09-04

* Fix build failure on sparc N1 (Debian #393817).
* Add -g to CFLAGS.

15. By Matthias Klose on 2007-08-09

* Merge with Debian; remaining changes:
  - Adjust configure options for lpia.

14. By Matthias Klose on 2007-08-07

* Adjust configure options for lpia.
* Set Ubuntu maintainer address.