Security fix with updating bundled RubyGems to 1.8.23 and several a few bug
fixes.
Fri Apr 20 12:40:19 2012 Eric Hodel <drbrain@segment7.net>
* lib/rubygems/ssl_certs/AddTrustExternalCARoot.pem: Removed to avoid
conflict with ca-bundle.pem
* lib/rubygems/ssl_certs/VerisignClass3PublicPrimaryCertificationAuthority-G2.pem:
ditto.
* lib/rubygems/ssl_certs/Entrust_net-Secure-Server-Certification-Authority.pem:
ditto.
Fri Apr 20 09:04:35 2012 Eric Hodel <drbrain@segment7.net>
* lib/rubygems: Apply the following security fixes to RubyGems 1.3.7:
RubyGems now disallows redirection from HTTPS to HTTP.
RubyGems now verifies SSL connections.
Patch by Hiroshi Nakamura.
* test/rubygems: ditto.
Overhaul buildlink3 processing of Ruby.
* Don't buildlink in ruby/rubyversion.mk any more but define
RUBY_USE_PTHREAD (use of pthread).
* In ruby/buildlink3.mk, buildlink via mk/pthread.buildlink3.mk as to
RUBY_USE_PTHREAD.
* Also the same logic in ruby/Makefile.common.
* Buildlink of bdb, libiconv, zlib, openssl in each ruby*-base/Makefile.
* Don't buildlink in ruby/rubyversion.mk any more but define
RUBY_USE_PTHREAD (use of pthread).
* In ruby/buildlink3.mk, buildlink via mk/pthread.buildlink3.mk as to
RUBY_USE_PTHREAD.
* Also the same logic in ruby/Makefile.common.
* Buildlink of bdb, libiconv, zlib, openssl in each ruby*-base/Makefile.
The maintainers of ruby have changed the shared library naming scheme for
FreeBSD and DragonFly:
For ruby18, it's libruby18.so.18 (last part = RUBY_VER)
For ruby19, it's libruby19.so.19 (last part = RUBY_VER)
for ruby193, it's libruby193.so.191 (last part derived from API, not version)
The rubyversion.mk was never updated to reflect that, and as a result ruby
1.9.3 has never built on DragonFly. This commit will allow
lang/ruby193-base package to build.
Implictly update lang/ruby193 and devel/ruby-mode (nothing change).
== Fixes
* Fix for Ruby OpenSSL module: Allow "0/n splitting" as a prevention
for the TLS BEAST attack
* Fixed: LLVM/clang support [Bug #5076]
* Fixed: GCC 4.7 support [Bug #5851]
* other bug fixes
For more detail, please refer:
http://svn.ruby-lang.org/repos/ruby/tags/v1_9_3_125/ChangeLog
Wed Feb 8 14:06:59 2012 Hiroshi Nakamura <nahi@ruby-lang.org>
* ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
It contains security fix for CVE-2011-4815 (DoS).
Wed Dec 28 21:34:23 2011 URABE Shyouhei <shyouhei@ruby-lang.org>
* string.c (rb_str_hash): randomize hash to avoid algorithmic
complexity attacks. CVE-2011-4815
* st.c (strhash): ditto.
* string.c (Init_String): initialization of hash_seed to be at the
beginning of the process.
* st.c (Init_st): ditto.
Thu Dec 8 11:57:04 2011 Tanaka Akira <akr@fsij.org>
* inits.c (rb_call_inits): call Init_RandomSeed at first.
* random.c (seed_initialized): defined.
(fill_random_seed): extracted from random_seed.
(make_seed_value): extracted from random_seed.
(rb_f_rand): initialize random seed at first.
(initial_seed): defined.
(Init_RandomSeed): defined.
(Init_RandomSeed2): defined.
(rb_reset_random_seed): defined.
(Init_Random): call Init_RandomSeed2.
Sat Dec 10 20:44:23 2011 Tanaka Akira <akr@fsij.org>
* lib/securerandom.rb: call OpenSSL::Random.seed at the
SecureRandom.random_bytes call.
insert separators for array join.
patch by Masahiro Tomita. [ruby-dev:44270]
Mon Oct 17 04:20:22 2011 Nobuyoshi Nakada <nobu@ruby-lang.org>
* mkconfig.rb: fix for continued lines. based on a patch from
Marcus Rueckert <darix AT opensu.se> at [ruby-core:20420].
Mon Oct 17 04:19:39 2011 Yukihiro Matsumoto <matz@ruby-lang.org>
* numeric.c (flo_cmp): Infinity is greater than any bignum
number. [ruby-dev:38672]
* bignum.c (rb_big_cmp): ditto.
Mon Oct 17 03:56:12 2011 Yusuke Endoh <mame@tsg.ne.jp>
* ext/openssl/ossl_x509store.c (ossl_x509store_initialize): initialize
store->ex_data.sk. [ruby-core:28907] [ruby-core:23971]
[ruby-core:18121]
=== 3.12 / 2011-12-15
* Minor enhancements
* Added DEVELOPERS document which contains an overview of how RDoc works and
how to add new features to RDoc.
* Improved title for HTML output to include <code>--title</code> in the
title element.
* <code>rdoc --pipe</code> now understands <code>--markup</code>.
* RDoc now supports irc-scheme hyperlinks. Issue #83 by trans.
* Bug fixes
* Fix title on HTML output for pages.
* Fixed parsing of non-indented HEREDOC.
* Fixed parsing of <code>%w[]</code> and other % literals. Issue #84 by
Erik Hollensbe
* Fixed arrow replacement in HTML output munging the spaceship operator.
Issue #85 by eclectic923.
* Verbatim sections with ERB that match the ruby code whitelist are no
longer syntax-highlighted. Issue #86 by eclectic923
* Line endings on windows are normalized immediately after reading with
binmode. Issue #87 by Usa Nakamura
* RDoc better understands directives for comments. Comment directives can
now be found anywhere in multi-line comments. Issue #90 by Ryan Davis
* Tidy links to methods show the label again. Issue #88 by Simon Chiang
* RDoc::Parser::C can now find comments directly above
+rb_define_class_under+. Issue #89 by Enrico
* In rdoc, backspace and ansi formatters, labels and notes without bodies
are now shown.
* In rdoc, backspace and ansi formatters, whitespace between label or note
and the colon is now stripped.
=== 3.11 / 2011/10-17
* Bug fixes
* Avoid parsing TAGS files included in gems. Issue #81 by Santiago Pastorino.
=== 3.10 / 2011-10-08
* Major enhancements
* RDoc HTML output has been improved:
* The search from Vladimir Kolesnikov Sdoc has been integrated.
The search index generation is a reusable component through
RDoc::Generator::JsonIndex
* The table of contents is now a separate page and now shows links to
headings and sections inside a page or class.
* Class pages no longer show the namespace and no longer have file info
pages.
* HTML output is HTML 5.
* Static files can be copied into RDoc using --copy-files
* RDoc supports additional documentation formats:
* TomDoc 1.0.0-rc1
* RD format
The default markup can be set via the <tt>--markup</tt> option.
The format of documentation in a particular file can be specified by the
+:markup:+ directive. If the +:markup:+ directive is in the first comment
it is used as the default for the entire file. For other comments it
overrides the default markup format.
The markup format can be set for rake tasks using RDoc::Task#markup
* RDoc can save and load an options file.
To create an options file that defaults to using TomDoc markup run:
rdoc --markup tomdoc --write-options
This will create a .rdoc_options file. Check it in to your VCS and
package it with your gem. RDoc will automatically load this file and
combine it with the user's options.
Some options are not saved. See RDoc::Options@Saved+Options for full
details.
* Minor enhancements
* RDoc autoloads everything. You only need to require 'rdoc' now.
* HTML headings now have ids matching their titles.
= Hello!
Is rendered as
<h1 id="label-Hello%21">Hello!</h1>
* Labels for classes or methods can be linked-to by adding an <tt>@</tt>
following the class or method reference. For example,
<tt>RDoc::Markup@Links</tt>
See RDoc::Markup@Links for further details.
* For HTML output RDoc uses +SomeClass.method_name+ and
+SomeClass#method_name+ for remote methods and attributes and
+::method_name+ and +#method_name+ for local methods.
* RDoc makes an effort to syntax-highlight ruby code in verbatim sections.
See RDoc::Markup@Paragraphs+and+Verbatim
* Added RDoc::TopLevel#text? and RDoc::Parser::Text to indicate a
parsed file contains no ruby constructs.
* Added <tt>rdoc-label</tt> link scheme which allows bidirectional links.
See RDoc::Markup for details.
* Added RDoc::Comment which encapsulates comment-handling functionality.
* Added RDoc::Markup::PreProcess::post_process to allow arbitrary comment
munging.
* RDoc::RDoc::current is set for the entire RDoc run.
* Split rdoc/markup/inline into individual files for its component classes.
* Moved token stream HTML markup out of RDoc::AnyMethod#markup_code into
RDoc::TokenStream::to_html
* "Top" link in section headers is no longer inside the heading element.
* RDoc avoids printing some warnings unless run with `rdoc --verbose`. For
Rails issue #1646.
* Finishing a paragraph with two or more spaces will result in a line break.
This feature is experimental and may be modified or removed.
* Bug fixes
* Performance of RDoc::RubyLex has been improved. Ruby Bug #5202 by Ryan
Melton.
* Clicking a link in the method description now works. Issue #61 by Alan
Hogan.
* Fixed RDoc::Markup::Parser for CRLF line endings. Issue #67 by Marvin
Gülker.
* Fixed lexing of percent strings like %r{#}. Issue #68 by eclectic923.
* The C parser now understands classes defined with
+rb_struct_define_without_accessor+ (like Range). Pull Request #73 by Dan
Bernier
* Fixed lexing of <code>a b <<-HEREDOC</code>. Issue #75 by John Mair.
* Added LEGAL.rdoc with references to licenses in other files. Issue #78 by
Dmitry Jemerov.
* Block parameters are displayed in Darkfish output again. Issue #76 by
Andrea Singh.
* The method parameter coverage report no longer includes parameter default
values. Issue #77 by Jake Goulding.
* The module for an include is not looked up until parsed all the files are
parsed. Unless your project includes nonexistent modules this avoids
worst-case behavior (<tt>O(n!)</tt>) of RDoc::Include#module.
* Use 18, 19 instead of 1.9, 2.0 for RUBY_VERSION_DEFAULT.
* Add 193 for Ruby 1.9.3, too.
* If RUBY_VERSION_SUPPORTED contains single version of Ruby, make package
force depends to the version.
* Move RUBY_SITE_SUBDIR to Makefile.common.
* Change RUBY_VERSION_SUFFIX to RUBY_VERSION_FULL.
* Remove small code for NetBSD 1.x.
* Change RUBY_DLEXT and RUBY_SLEXT by ${_OPSYS_SHLIB_TYPE} instead of
${OPSYS}'s value.
