lp:ubuntu/precise-updates/ruby1.9.1

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

31. By Marc Deslauriers on 2014-11-19

* SECURITY UPDATE: denial of service via XML expansion
  - debian/patches/CVE-2014-8090.patch: add REXML::Document#document
    to lib/rexml/document.rb, add warning to lib/rexml/entity.rb, added
    tests to test/rexml/test_document.rb.
  - CVE-2014-8090

30. By Marc Deslauriers on 2014-11-03

* SECURITY UPDATE: denial of service via buffer overrun in encodes
  function
  - debian/patches/CVE-2014x-4975.patch: properly calculate buffer size
    in pack.c.
  - CVE-2014-4975
* SECURITY UPDATE: denial of service via XML expansion
  - debian/patches/CVE-2014-8080.patch: limit expansions in
    lib/rexml/entity.rb, added tests to test/rexml/test_document.rb,
    test/rexml/test_entity.rb.
  - CVE-2014-8080

29. By Marc Deslauriers on 2013-11-26

* SECURITY UPDATE: safe level restriction bypass via DL and Fiddle
  - debian/patches/CVE-2013-2065.patch: perform taint checking in
    ext/dl/lib/dl/func.rb, ext/fiddle/function.c.
  - CVE-2013-2065
* SECURITY UPDATE: denial of service and possible code execution via
  heap overflow in floating point parsing.
  - debian/patches/CVE-2013-4164.patch: check lengths in util.c, added
    test to test/ruby/test_float.rb.
  - CVE-2013-4164

28. By Marc Deslauriers on 2013-07-08

* SECURITY UPDATE: incorrect ssl hostname verification
  - debian/patches/CVE-2013-4073.patch: fix hostname check and regression
    in ext/openssl/lib/openssl/ssl-internal.rb, added test to
    test/openssl/test_ssl.rb.
  - CVE-2013-4073

27. By Marc Deslauriers on 2013-03-22

* SECURITY UPDATE: REXML entity expansion DoS
  - debian/patches/CVE-2013-1821.patch: set an expansion limit in
    lib/rexml/document.rb, lib/rexml/text.rb, added test to
    test/rexml/test_entity.rb.
  - Patch taken from Debian's 1.9.3.194-8.1
  - CVE-2013-1821

26. By Marc Deslauriers on 2013-02-15

* SECURITY UPDATE: denial of service via hash collisions
  - debian/patches/20121120-cve-2012-5371.diff: replace hash
    implementation in common.mk, random.c, siphash.*, string.c.
  - CVE-2012-5371
* SECURITY UPDATE: xss in documents generated by rdoc
  - debian/patches/CVE-2013-0256.patch: fix xss in
    lib/rdoc/generator/template/darkfish/js/darkfish.js.
  - CVE-2013-0256
* SECURITY UPDATE: DoS and unsafe object creation via JSON
  - debian/patches/CVE-2013-0269.patch: fix JSON parsing in
    ext/json/lib/json/add/core.rb, ext/json/lib/json/common.rb,
    ext/json/parser/parser.c, ext/json/parser/parser.rl,
    test/json/test_json.rb, test/json/test_json_addition.rb,
    test/json/test_json_string_matching.rb.
  - CVE-2013-0269
* Patches taken from Debian 1.9.3.194-7 package.

25. By Tyler Hicks on 2012-10-16

* SECURITY UPDATE: Missing input sanitization of file paths
  - debian/patches/CVE-2012-4522.patch: NUL characters are not
    valid filename characters, so ensure that Ruby strings used for file
    paths do not contain NUL characters. Based on upstream patch.

24. By Tyler Hicks on 2012-10-05

* SECURITY UPDATE: Safe level bypass
  - debian/patches/CVE-2012-4464_CVE-2012-4466.patch: Remove incorrect
    string taint in exception handling methods. Based on upstream patch.
  - CVE-2012-4464
  - CVE-2012-4466
* debian/patches/CVE-2011-1005.patch: Drop since ruby1.9.x is technically
  not affected by CVE-2011-1005. CVE-2012-4464 is the id assigned to the
  vulnerability in the ruby1.9.x branch.

23. By Tyler Hicks on 2012-09-24

* SECURITY UPDATE: Safe level bypass
  - debian/patches/CVE-2011-1005.patch: Remove incorrect string taint
    in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* SECURITY UPDATE: Add proper handling of rubygems SSL connections
  - debian/patches/CVE-2012-2125-2126.patch: Perform certificate
    verification and disallow HTTP->HTTPS redirection. Based on upstream
    patch.
  - CVE-2012-2125
  - CVE-2012-2126
* debian/control: Add ca-certificates to libruby1.9.1 depends so that
  rubygems can perform certificate verification

22. By Matthias Klose on 2011-12-03

Don't run the tests on armhf for a first build.