ruby2.1 (2.1.5-2+deb8u13) jessie-security; urgency=high * Add length limit option for methods that parses date strings. (Fixes: CVE-2021-41817) * When parsing cookies, only decode the values. (Fixes: CVE-2021-41819) -- Utkarsh Gupta Mon, 06 Dec 2021 06:01:41 +0530 ruby2.1 (2.1.5-2+deb8u12) jessie-security; urgency=high * Add patch to use File.open to fix the OS Command Injection vulnerability. (Fixes: CVE-2021-31799) * Add patch to fix StartTLS stripping vulnerability. (Fixes: CVE-2021-32066) * Add patch to ignore IP addresses in PASV responses by default. (Fixes: CVE-2021-31810) -- Utkarsh Gupta Sun, 10 Oct 2021 18:13:06 +0530 ruby2.1 (2.1.5-2+deb8u11) jessie-security; urgency=high * Non-maintainer upload by the ELTS team. * Add patch to fix a potential HTTP request smuggling vulnerability in WEBrick. (Fixes: CVE-2020-25613) -- Utkarsh Gupta Thu, 01 Oct 2020 18:13:06 +0530 ruby2.1 (2.1.5-2+deb8u10) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Add patch to fix unsafe object creation vulnerability in JSON. (Fixes: CVE-2020-10663) -- Utkarsh Gupta Wed, 29 Apr 2020 02:13:45 +0530 ruby2.1 (2.1.5-2+deb8u9) jessie-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * Fix CVE-2016-2338: heap overflow vulnerability -- Abhijith PA Tue, 24 Mar 2020 17:09:41 +0100 ruby2.1 (2.1.5-2+deb8u8) jessie-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2019-15845 path matching might pass in File.fnmatch and File.fnmatch? due to a NUL character injection * CVE-2019-16201 A loop caused by a wrong regular expression could lead to a denial of service of a WEBrick service. * CVE-2019-16254 This is the same issue as CVE-2017-17742, whose fix was not complete. * CVE-2019-16255 Giving untrusted data to the first argument of Shell#[] and Shell#test might lead to a code injection vulnerability. -- Thorsten Alteholz Mon, 25 Nov 2019 19:03:02 +0100 ruby2.1 (2.1.5-2+deb8u7) jessie-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2019-8320, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325 -- Abhijith PA Fri, 29 Mar 2019 11:56:38 +0530 ruby2.1 (2.1.5-2+deb8u6) jessie-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2018-16395 Fix for OpenSSL::X509::Name equality check. * CVE-2018-16396 Tainted flags are not propagated in Array#pack and String#unpack with some directives. -- Thorsten Alteholz Fri, 26 Oct 2018 19:03:02 +0200 ruby2.1 (2.1.5-2+deb8u5) jessie-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2018-1000074.patch: fix Deserialization of Untrusted Data vulnerability in owner command that can result in code execution through specially crafted YAML files. (Closes: #895778) * CVE-2018-1000073.patch: fix directory traversal vulnerability * CVE-2016-2337.patch: fix arbitrary code execution in Tcl/Tk API -- Antoine Beaupré Mon, 27 Aug 2018 15:08:54 -0400 ruby2.1 (2.1.5-2+deb8u4) jessie-security; urgency=medium * Non-maintainer upload by the LTS Team. * Fix multiple security issues: * CVE-2015-9096: SMTP command injection via CRLF sequences * CVE-2016-2339: Exploitable heap overflow in Fiddle::Function.new (Closes: #851161) * CVE-2016-7798: Fix IV Reuse in GCM Mode. Patch by Kazuki Yamaguchi * CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf * CVE-2017-10784: lib/webrick/log.rb: sanitize any type of logs * CVE-2017-14033: asn1: fix out-of-bounds read in decoding constructed objects * CVE-2017-14064: Heap exposure vulnerability in generating JSON * CVE-2017-0903: Whitelist classes and symbols that are in Gem spec YAML * Fix multiple vulnerabilities in rubygems: - a DNS request hijacking vulnerability. (CVE-2017-0902) - an ANSI escape sequence vulnerability. (CVE-2017-0899) - a DoS vulnerability in the query command. (CVE-2017-0900) - a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. (CVE-2017-0901) * CVE-2017-17405: Command injection in Net::FTP * CVE-2017-17790: Command injection in Hosts:new() by use of Kernel#open * CVE-2018-1000075: Strictly interpret octal fields in tar headers to avoid infinite loop * CVE-2018-1000076: Raise a security error when there are duplicate files in a package * CVE-2018-1000077: Enforce URL validation on spec homepage attribute. * CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when displayed via gem server. * CVE-2018-1000079: Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations. * CVE-2018-8778: Buffer under-read in String#unpack * CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir * CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir * CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket * CVE-2018-8777: DoS by large request in WEBrick * CVE-2017-17742: HTTP response splitting in WEBrick -- Santiago Ruano Rincón Fri, 13 Jul 2018 15:55:10 +0200 ruby2.1 (2.1.5-2+deb8u3) jessie; urgency=low * Non-maintainer upload to fix security problem. * Fix CVE-2009-5147: DL::dlopen should not open a library with tainted library name in safe mode (Closes: #796344). Based on patch used in DLA-299-1, which was pulled from upstream. * Fix CVE-2015-7551: Fiddle handles should not call functions with tainted function names (Closes: #796344). Patch pulled from upstream. -- Petter Reinholdtsen Tue, 07 Jun 2016 11:00:04 +0200 ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high * Apply upstream patches to fix Request hijacking vulnerability in Rubygems [CVE-2015-3900] (Closes: #790119) -- Antonio Terceiro Wed, 29 Jul 2015 09:27:24 -0300 ruby2.1 (2.1.5-2+deb8u1) jessie-security; urgency=high * Fix vulnerabiity with overly permissive matching of hostnames in OpenSSL extension [CVE-2015-1855] - applied revision 50296 of upstream svn repository. -- Antonio Terceiro Fri, 17 Apr 2015 09:26:57 -0300 ruby2.1 (2.1.5-2) unstable; urgency=medium * Fix Segmentation fault after pack & ioctl & unpack (Closes: #781504) - apply r44804 from upstream svn * debian/upstream-changes: simpler and more accurate implementation -- Antonio Terceiro Tue, 31 Mar 2015 21:50:39 -0300 ruby2.1 (2.1.5-1) unstable; urgency=medium * New upstream release - Fixes CVE-2014-8090 Another Denial of Service XML Expansion (Closes: #770932) - Fixes build on SPARC (Closes: #769731) -- Antonio Terceiro Sat, 29 Nov 2014 12:30:39 -0200 ruby2.1 (2.1.4-1) unstable; urgency=high * New upstream version - CVE-2014-8080: Denial of Service in XML Expansion - Changes default settings in OpenSSL bindings to not use deprecated and insecure ciphers; avoids issues associated to CVE-2014-3566 (i.e. the "POODLE" bug in OpenSSL) -- Antonio Terceiro Wed, 29 Oct 2014 12:07:22 -0200 ruby2.1 (2.1.3-2) unstable; urgency=medium [ Sebastian Boehm ] * Install SystemTap tap file (Closes: #765862) -- Christian Hofstaedtler Sun, 19 Oct 2014 20:07:50 +0200 ruby2.1 (2.1.3-1) unstable; urgency=medium * New upstream version -- Christian Hofstaedtler Sat, 20 Sep 2014 16:55:47 +0200 ruby2.1 (2.1.2-4) unstable; urgency=medium [ Antonio Terceiro ] * Move libjs-jquery dependency from libruby2.1 to ruby2.1, and turn it into Recommends:. This way programs that link against libruby2.1 won't pull in libjs-jquery; OTOH those using rdoc (and thus needing libjs-jquery) would be already using ruby2.1 anyway. [ Christian Hofstaedtler ] * Update Vcs-Git URL, as we've moved from master2.1 to master. * Prepare libruby21.symbols for x32 (Closes: #759615) * Remove embedded copies of SSL certificates. Rubygems is advised by rubygems-integration to use the ca-certificates provided certificates. (Closes: #689074) -- Christian Hofstaedtler Fri, 05 Sep 2014 03:06:30 +0200 ruby2.1 (2.1.2-3) unstable; urgency=medium [ Antonio Terceiro ] * debian/rules: call debian/split-tk-out.rb with $(baseruby) instead of `ruby` to actually support bootstrapping with ruby1.8 (and no `ruby`) * Break dependency loop (Closes: #747858) - ruby2.1: drop dependency on ruby - libruby2.1: drop dependency on ruby2.1 [ Christian Hofstaedtler ] * Add missing man pages for gem, rdoc, testrb (Closes: #756053, #756815) * Correct ruby2.1's Multi-Arch flag to 'allowed' (Closes: #745360) -- Antonio Terceiro Thu, 14 Aug 2014 10:45:29 -0300 ruby2.1 (2.1.2-2) unstable; urgency=medium * Support bootstrapping with Ruby 1.8 (which builds with gcc only) if another Ruby is not available. -- Antonio Terceiro Thu, 15 May 2014 23:20:49 -0300 ruby2.1 (2.1.2-1) unstable; urgency=medium [ Christian Hofstaedtler ] * New upstream version * Update watch file [ Sebastian Boehm ] * Build with basic systemtap support. (Closes: #747232) [ Antonio Terceiro ] * 2.1 is now the main development branch -- Christian Hofstaedtler Sat, 10 May 2014 15:51:13 +0200 ruby2.1 (2.1.1-4) unstable; urgency=medium * Use Debian copy of config.{guess,sub} Instead of downloading it from the Internet, which could be down or insecure. Thanks to Scott Kitterman for the report AND patch. (Closes: 745699) * Move jquery source file to d/missing-sources -- Christian Hofstaedtler Fri, 25 Apr 2014 00:57:13 +0200 ruby2.1 (2.1.1-3) unstable; urgency=medium [ Antonio Terceiro ] * Disable rubygems-integration during the build. This fixes the install location of the gemspecs for the bundled libraries. (Closes: #745465) -- Christian Hofstaedtler Tue, 22 Apr 2014 18:38:01 +0200 ruby2.1 (2.1.1-2) unstable; urgency=medium * Tie Tcl/Tk dependency to version 8.5, applying patch from Ubuntu. Thanks to Matthias Klose -- Christian Hofstaedtler Mon, 10 Mar 2014 13:38:41 +0100 ruby2.1 (2.1.1-1) unstable; urgency=medium * Imported Upstream version 2.1.1 * Update lintian overrides -- Christian Hofstaedtler Wed, 05 Mar 2014 18:22:58 +0100 ruby2.1 (2.1.0-2) unstable; urgency=medium * ruby2.1-dev: Depend on libgmp-dev. Thanks to John Leach * Fix FTBFS with libreadline 6.x, by applying upstream r45225. -- Christian Hofstaedtler Mon, 03 Mar 2014 21:10:32 +0100 ruby2.1 (2.1.0-1) unstable; urgency=medium * Upload to unstable. -- Christian Hofstaedtler Sat, 22 Feb 2014 23:44:44 +0100 ruby2.1 (2.1.0-1~exp2) experimental; urgency=medium [ Antonio Terceiro ] * ruby2.1-dev: add missing dependency on libruby2.1 [ Christian Hofstaedtler ] * Again depend on ruby without alternatives management * Tag 64bit-only symbols as such -- Christian Hofstaedtler Thu, 13 Feb 2014 13:02:25 +0100 ruby2.1 (2.1.0-1~exp1) experimental; urgency=medium * New release train, branch off and rename everything to ruby2.1 (Closes: #736664) * Build with GMP library for faster Bignum operations. * Target experimental as long as ruby 1:1.9.3.1 has not entered unstable, dropping the versioned dependency for now. -- Christian Hofstaedtler Thu, 23 Jan 2014 19:25:19 +0100 ruby2.0 (2.0.0.484-1) UNRELEASED; urgency=medium [ Antonio Terceiro ] * New upstream snapshot. * Add patch by Yamashita Yuu to fix build against newer OpenSSL (Closes: #733372) [ Christian Hofstaedtler ] * Use any valid Ruby interpreter to bootstrap * Bump Standards-Version to 3.9.5 (no changes) * Add myself to Uploaders: * Add Dependencies to facilitate upgrades from 1.8 * libruby2.0 now depends on ruby2.0 * ruby2.0 now depends on ruby * Stop installing alternatives/symlinks for binaries: * /usr/bin/{ruby,erb,testrb,irb,rdoc,ri} -- Christian Hofstaedtler Fri, 17 Jan 2014 16:35:57 +0100 ruby2.0 (2.0.0.353-1) unstable; urgency=low * New upstream release + Includes fix for Heap Overflow in Floating Point Parsing (CVE-2013-4164) Closes: #730190 -- Antonio Terceiro Mon, 25 Nov 2013 22:34:25 -0300 ruby2.0 (2.0.0.343-1) unstable; urgency=low * New upstream version (snapshot from 2.0 maintainance branch). * fix typo in ruby2.0-tcltk description * Backported upstream patches from Tanaka Akira to fix FTBFS on: - GNU/kFreeBSD (Closes: #726095) - x32 (Closes: #727010) * Make date for io-console gemspec predictable (Closes: #724974) * libruby2.0 now depends on libjs-jquery because of rdoc (Closes: #725056) * Backport upstream patch by Nobuyoshi Nakada to fix include directory in `pkg-config --cflags` (Closes: #725166) * Document missing licenses in debian/copyright (Closes: #723161) * debian/libruby2.0.symbols: add new symbol rb_exec_recursive_paired_outer (not in the public API though) -- Antonio Terceiro Tue, 05 Nov 2013 20:33:23 -0300 ruby2.0 (2.0.0.299-2) unstable; urgency=low * Split Ruby/Tk out of libruby2.0 into its own package, ruby2.0-tcltk. This will reduce the footprint of a basic Ruby installation. -- Antonio Terceiro Sun, 15 Sep 2013 22:09:57 -0300 ruby2.0 (2.0.0.299-1) unstable; urgency=low * New upstream release + Includes a fix for override of existing LDFLAGS when building compiled extensions that use pkg-config (Closes: #721799). * debian/rules: forward-port to tcl/tk packages with multi-arch support. Thanks to Tristan Hill for reporting on build for Ubuntu saucy * debian/control: ruby2.0 now provides ruby-interpreter * Now using tarballs generated from the git mirror. + The released tarballs will modify shipped files on clean. Without this we can stop messing around with files that need to be recovered after a `debian/rules clean` to make them match the orig tarball and avoid spurious diffs. + This also lets us drop the diffs against generated files such as tool/config.* and configure. + documented in debian/README.source * debian/libruby2.0.symbols: refreshed with 2 new symbols added since last version. -- Antonio Terceiro Sun, 08 Sep 2013 12:38:34 -0300 ruby2.0 (2.0.0.247-1) unstable; urgency=low * Initial release (Closes: #697703) -- Antonio Terceiro Mon, 07 Jan 2013 14:48:51 -0300