lp:ubuntu/precise-security/ruby1.9.1
- Get this branch:
- bzr branch lp:ubuntu/precise-security/ruby1.9.1
Branch merges
Branch information
Recent revisions
- 31. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via XML expansion
- debian/patches/ CVE-2014- 8090.patch: add REXML:: Document# document
to lib/rexml/document. rb, add warning to lib/rexml/ entity. rb, added
tests to test/rexml/test_document. rb.
- CVE-2014-8090 - 30. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via buffer overrun in encodes
function
- debian/patches/ CVE-2014x- 4975.patch: properly calculate buffer size
in pack.c.
- CVE-2014-4975
* SECURITY UPDATE: denial of service via XML expansion
- debian/patches/ CVE-2014- 8080.patch: limit expansions in
lib/rexml/entity. rb, added tests to test/rexml/ test_document. rb,
test/rexml/test_ entity. rb.
- CVE-2014-8080 - 29. By Marc Deslauriers
-
* SECURITY UPDATE: safe level restriction bypass via DL and Fiddle
- debian/patches/ CVE-2013- 2065.patch: perform taint checking in
ext/dl/lib/ dl/func. rb, ext/fiddle/ function. c.
- CVE-2013-2065
* SECURITY UPDATE: denial of service and possible code execution via
heap overflow in floating point parsing.
- debian/patches/ CVE-2013- 4164.patch: check lengths in util.c, added
test to test/ruby/test_float. rb.
- CVE-2013-4164 - 28. By Marc Deslauriers
-
* SECURITY UPDATE: incorrect ssl hostname verification
- debian/patches/ CVE-2013- 4073.patch: fix hostname check and regression
in ext/openssl/lib/openssl/ ssl-internal. rb, added test to
test/openssl/ test_ssl. rb.
- CVE-2013-4073 - 27. By Marc Deslauriers
-
* SECURITY UPDATE: REXML entity expansion DoS
- debian/patches/ CVE-2013- 1821.patch: set an expansion limit in
lib/rexml/document. rb, lib/rexml/text.rb, added test to
test/rexml/test_ entity. rb.
- Patch taken from Debian's 1.9.3.194-8.1
- CVE-2013-1821 - 26. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via hash collisions
- debian/patches/ 20121120- cve-2012- 5371.diff: replace hash
implementation in common.mk, random.c, siphash.*, string.c.
- CVE-2012-5371
* SECURITY UPDATE: xss in documents generated by rdoc
- debian/patches/ CVE-2013- 0256.patch: fix xss in
lib/rdoc/generator/ template/ darkfish/ js/darkfish. js.
- CVE-2013-0256
* SECURITY UPDATE: DoS and unsafe object creation via JSON
- debian/patches/ CVE-2013- 0269.patch: fix JSON parsing in
ext/json/lib/ json/add/ core.rb, ext/json/ lib/json/ common. rb,
ext/json/parser/ parser. c, ext/json/ parser/ parser. rl,
test/json/test_ json.rb, test/json/ test_json_ addition. rb,
test/json/test_ json_string_ matching. rb.
- CVE-2013-0269
* Patches taken from Debian 1.9.3.194-7 package. - 25. By Tyler Hicks
-
* SECURITY UPDATE: Missing input sanitization of file paths
- debian/patches/ CVE-2012- 4522.patch: NUL characters are not
valid filename characters, so ensure that Ruby strings used for file
paths do not contain NUL characters. Based on upstream patch. - 24. By Tyler Hicks
-
* SECURITY UPDATE: Safe level bypass
- debian/patches/ CVE-2012- 4464_CVE- 2012-4466. patch: Remove incorrect
string taint in exception handling methods. Based on upstream patch.
- CVE-2012-4464
- CVE-2012-4466
* debian/patches/ CVE-2011- 1005.patch: Drop since ruby1.9.x is technically
not affected by CVE-2011-1005. CVE-2012-4464 is the id assigned to the
vulnerability in the ruby1.9.x branch. - 23. By Tyler Hicks
-
* SECURITY UPDATE: Safe level bypass
- debian/patches/ CVE-2011- 1005.patch: Remove incorrect string taint
in exception handling methods. Based on upstream patch.
- CVE-2011-1005
* SECURITY UPDATE: Add proper handling of rubygems SSL connections
- debian/patches/ CVE-2012- 2125-2126. patch: Perform certificate
verification and disallow HTTP->HTTPS redirection. Based on upstream
patch.
- CVE-2012-2125
- CVE-2012-2126
* debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/quantal/ruby1.9.1