lp:ubuntu/raring-security/ruby1.9.1

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

29. By Marc Deslauriers on 2013-11-26

* SECURITY UPDATE: safe level restriction bypass via DL and Fiddle
  - debian/patches/CVE-2013-2065.patch: perform taint checking in
    ext/dl/lib/dl/func.rb, ext/fiddle/function.c.
  - CVE-2013-2065
* SECURITY UPDATE: denial of service and possible code execution via
  heap overflow in floating point parsing.
  - debian/patches/CVE-2013-4164.patch: check lengths in util.c, added
    test to test/ruby/test_float.rb.
  - CVE-2013-4164

28. By Marc Deslauriers on 2013-07-08

* SECURITY UPDATE: incorrect ssl hostname verification
  - debian/patches/CVE-2013-4073.patch: fix hostname check and regression
    in ext/openssl/lib/openssl/ssl-internal.rb, added test to
    test/openssl/test_ssl.rb.
  - CVE-2013-4073

27. By Marc Deslauriers on 2013-03-25

* Merge from Debian testing. Remaining changes:
  - debian/control: Add ca-certificates to libruby1.9.1 depends so that
    rubygems can perform certificate verification
  - debian/rules: Don't install SSL certificates from upstream sources
  - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
    /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
  - debian/patches/CVE-2012-4522.patch: Adjust patch to fix build test
    error. Use the version of the fix from upstream's 1.9.3 tree to fix
    the NoMethodError for assert_file_not, which doesn't exist in 1.9.3.
    Adjust the Origin patch tag accordingly.

26. By Tyler Hicks on 2013-02-21

* Merge from Debian testing (LP: #1131493). Remaining changes:
  - debian/control: Add ca-certificates to libruby1.9.1 depends so that
    rubygems can perform certificate verification
  - debian/rules: Don't install SSL certificates from upstream sources
  - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
    /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
* Changes dropped:
  - debian/patches/20121016-cve_2012_4522.patch: Debian is carrying a patch
    for this issue.
  - debian/patches/20121011-cve_2012_4464-cve_2012_4466.patch: Debian is
    carrying a patch for this issue, but the patch is incorrectly named
    20120927-cve_2011_1005.patch. I'll work with Debian to change the patch
    name, but there's no need in carrying a delta because of this. To be
    clear, the Ubuntu ruby1.9.1 package is patched for CVE-2012-4464 and
    CVE-2012-4466, despite the incorrect patch name.
* debian/patches/CVE-2012-4522.patch: Adjust patch to fix build test error.
  Use the version of the fix from upstream's 1.9.3 tree to fix the
  NoMethodError for assert_file_not, which doesn't exist in 1.9.3. Adjust
  the Origin patch tag accordingly.

25. By Tyler Hicks on 2012-10-16

* SECURITY UPDATE: Safe level bypass
  - debian/patches/20121011-cve_2012_4464-cve_2012_4466.patch: Remove
    incorrect string taint in exception handling methods. Based on upstream
    patch.
  - CVE-2012-4464
  - CVE-2012-4466
* SECURITY UPDATE: Missing input sanitization of file paths
  - debian/patches/20121016-cve_2012_4522.patch: NUL characters are not
    valid filename characters, so ensure that Ruby strings used for file
    paths do not contain NUL characters. Based on upstream patch.
  - CVE-2012-4522
* debian/patches/20120927-cve_2011_1005.patch: Drop since ruby1.9.x is
  technically not affected by CVE-2011-1005. CVE-2012-4464 is the id
  assigned to the vulnerability in the ruby1.9.x branch.

24. By Tyler Hicks on 2012-09-27

* SECURITY UPDATE: Safe level bypass
  - debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string
    taint in exception handling methods. Based on upstream patch.
  - CVE-2011-1005
* Make the RubyGems fetcher use distro-provided ca-certificates
  (LP: #1057926)
  - debian/control: Add ca-certificates to libruby1.9.1 depends so that
    rubygems can perform certificate verification
  - debian/rules: Don't install SSL certificates from upstream sources
  - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
    /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.

23. By Antonio Terceiro on 2012-06-02

[ Lucas Nussbaum ]
* Add hurd-path-max.diff. Fixes FTBFS on Hurd. (Closes: #648055)

[ Daigo Moriwaki ]
* Removed debian/patches/debian/patches/sparc-continuations.diff,
  which the upstream has applied.
* debian/rules:
  - Bumped up tcltk_ver to 8.5.
  - Used chrpath for tcltklib.so to fix a lintian error,
    binary-or-shlib-defines-rpath.
* debian/control:
  - Suggests ruby-switch. (Closes: #654312)
  - Build-Depends: chrpath.
* debian/libruby1.9.1.symbols: Added a new symbol for
  rb_str_modify_expand@Base.
* debian/run-test-suites.bash:
  - Corrected options for test-all.
  - Enabled timeout to allow hang tests to be aborted.

[ James Healy ]
* New upstream release: 1.9.3p194 (Closes: #669582)
  + This release includes a fix for CVE-2011-0188 (Closes: #628451)
  + This release also does not segfault when running the test suite under
    amd64 (Closes: #674347)
* Enable hardened build flags (Closes: #667964)
* debian/control:
  - depend on specific version on coreutils
  - update policy version (no changes)

[ Antonio Terceiro ]
* debian/ruby1.9.1.postinst:
  + bump alternatives priority for `ruby` to 51 so that Ruby 1.9 has a
    higher priority than Ruby 1.8 (50).
  + bump alternatives priority for `gem` to 181 so that the Rubygems
    provided by Ruby 1.9 has priority over the one provided by the rubygems
    package.
* debian/control: added myself to Uploaders:
* debian/libruby1.9.1.symbols: update with new symbols added in 1.9.3p194
  upstream release.
* debian/manpages/*: fix references to command names with s/1.9/1.9.1/
* debian/rules: skip running DRB tests, since they seem to make the build
  hang. This should close #647296, but let's way and see. Also, with this do
  not need to timeout the test suite anymore.

22. By Matthias Klose on 2011-12-03

Don't run the tests on armhf for a first build.

21. By Lucas Nussbaum <email address hidden> on 2011-10-31

* New upstream release: 1.9.3p0.
* Disable test suites on ia64 sparc kfreebsd-i386 kfreebsd-amd64.
  Those architectures are known to be broken at the moment.
  Details: http://lists.debian.org/debian-release/2011/10/msg00279.html

20. By Lucas Nussbaum <email address hidden> on 2011-09-24

* New upstream release: 1.9.3 RC1.
  + Includes load.c fixes. Closes: #639959.
* Upload to unstable.