Add security patch for rubygems, fixing these problem.
* CVE-2019-8320: Delete directory using symlink when decompressing tar
* CVE-2019-8321: Escape sequence injection vulnerability in verbose
* CVE-2019-8322: Escape sequence injection vulnerability in gem owner
* CVE-2019-8323: Escape sequence injection vulnerability in API response handlin
g
* CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
* CVE-2019-8325: Escape sequence injection vulnerability in errors
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
Since original patch included in official announce dose not cleanly applied to
Ruby 2.4.5, use a local version which drop patch to none existing test.
Bump PKGREVISION.
Ruby 2.4.5 Released
Ruby 2.4.5 has been released.
This release includes about 40 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
See the commit logs for details.
Ruby 2.4.4 Released Posted by nagachika on 28 Mar 2018
Ruby 2.4.4 has been released.
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes. See commit logs for more details.
Update ruby24-base/ruby24 to 2.4.3.
Ruby 2.4.3 Released
Posted by nagachika on 14 Dec 2017
Ruby 2.4.3 has been released.
This release includes some bug fixes and a security fix.
* CVE-2017-17405: Command injection vulnerability in Net::FTP
There are also som bug fixes. See commit logs for more details.
Ruby 2.4.2 Released Posted by nagachika on 14 Sep 2017
We are pleased to announce the release of Ruby 2.4.2. This release contains
some security fixes.
* CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
* CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
* CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 docod
* CVE-2017-14064: Heap exposure in generating JSON
* Multiple vulnerabilities in RubyGems
* Update bundled libyaml to version 0.1.7.
There are also many bug-fixes. See commit logs for more details.
gnu99 but left an existing SunOS test to only check for iso9899:1999. This
resulted in CPPFLAGS not being set correctly for modules which require
native compilation - those should now all be fixed. Bump PKGREVISION.
Ruby 2.4.1 22 Mar 2017
Ruby 2.4.1 is the first TEENY version release of the stable 2.4 series.
See commit logs for details:
https://github.com/ruby/ruby/compare/v2_4_0...v2_4_1
Ruby 2.4.0 25 Dec 2016
o Introduce hash table improvement (by Vladimir Makarov)
Improve the internal structure of hash table (st_table) by introducing open
addressing and an inclusion order array. This improvement has been discussed
with many people, especially with Yura Sokolov.
o Binding#irb: Start a REPL session similar to binding.pry
While you are debugging, you may often use p to see the value of
variables. With pry you can use binding.pry in your application to launch a
REPL and run any Ruby code. r56624 introduces binding.irb which behaves like
that with irb.
o Unify Fixnum and Bignum into Integer
Though ISO/IEC 30170:2012 doesn¡Çt specify details of the Integer class,
Ruby had two visible Integer classes: Fixnum and Bignum. Ruby 2.4 unifies
them into Integer. All C extensions which touch the Fixnum or Bignum class
need to be fixed.
See also the ticket and akr¡Çs slides.
o String supports Unicode case mappings
String/Symbol#upcase/downcase/swapcase/capitalize(!) now handle Unicode case
mappings instead of only ASCII case mappings.
o Performance improvements
Ruby 2.4 also contains the following performance improvements including
language changes:
* Array#max, Array#min
[x, y].max and [x, y].min are optimized to not create a temporary array
under certain conditions.
* Regexp#match?
Added Regexp#match?, which executes a regexp match without creating a back
reference object and changing $~ to reduce object allocation.
* Other performance improvements
- speed up instance variable access
o Debugging
* Thread#report_on_exception and Thread.report_on_exception
Ruby ignores exceptions in threads unless another thread explicitly joins
them. With report_on_exception = true, you can notice if a thread has died
due to an unhandled exception.
Send us feedback what should be the default for report_on_exception and
about report-on-GC, which shows a report when a thread is garbage
collected without join.
* Thread deadlock detection now shows threads with their backtrace and
dependency
Ruby has deadlock detection around waiting threads, but its report
doesn¡Çt include enough information for debugging. Ruby 2.4¡Çs deadlock
detection shows threads with their backtrace and dependent threads.
o Other notable changes since 2.3
* Support OpenSSL 1.1.0 (drop support for 0.9.7 or prior)
* ext/tk is now removed from stdlib Feature #8539
* XMLRPC is now removed from stdlib Feature #12160
See NEWS or commit logs for details.
