These packages are implicitly updated with distfile update only.
databases/ruby-gdbm
devel/ruby-readline
lang/ruby
lang/ruby18
Here's quote from release announce:
Sorry for a fuss, but it turned out that taintness check of dl in last
releases I made was incomplete. Here are fixes for that.
And relevant changes:
Mon Aug 11 09:37:17 2008 Yukihiro Matsumoto <matz@ruby-lang.org>
* ext/dl/dl.c (rb_str_to_ptr): should propagate taint to dlptr.
* ext/dl/dl.c (rb_ary_to_ptr): ditto.
* ext/dl/sym.c (rb_dlsym_call): should check taint of DLPtrData as
well.
pkgsrc change:
Apply fix for sunpro compilre, provided by PR pkg/37771 from
Naoto Morishima.
This release includes fix for multiple vulnerabilities.
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
* Several vulnerabilities in safe level
* DoS vulnerability in WEBrick
* Lack of taintness check in dl
* DNS spoofing vulnerability in resolv.rb
Full changes are too many, please refer ChangeLog file.
This is security fix:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities
Fri Jun 20 18:25:18 2008 Nobuyoshi Nakada <nobu@ruby-lang.org>
* string.c (rb_str_buf_append): should infect.
Fri Jun 20 16:33:09 2008 Nobuyoshi Nakada <nobu@ruby-lang.org>
* array.c (rb_ary_store, rb_ary_splice): not depend on unspecified
behavior at integer overflow.
* string.c (str_buf_cat): ditto.
Wed Jun 18 22:24:46 2008 URABE Shyouhei <shyouhei@ruby-lang.org>
* array.c (ary_new, rb_ary_initialize, rb_ary_store,
rb_ary_aplice, rb_ary_times): integer overflows should be
checked. based on patches from Drew Yao <ayao at apple.com>
fixed CVE-2008-2726
* string.c (rb_str_buf_append): fixed unsafe use of alloca,
which led memory corruption. based on a patch from Drew Yao
<ayao at apple.com> fixed CVE-2008-2726
* sprintf.c (rb_str_format): backported from trunk.
* intern.h: ditto.
Tue Jun 17 15:09:46 2008 Nobuyoshi Nakada <nobu@ruby-lang.org>
* file.c (file_expand_path): no need to expand root path which has no
short file name. [ruby-dev:35095]
Sun Jun 15 19:27:40 2008 Akinori MUSHA <knu@iDaemons.org>
* configure.in: Fix $LOAD_PATH. Properly expand vendor_ruby
directories; submitted by Takahiro Kambe <taca at
back-street.net> in [ruby-dev:35099].
It main chagnes are security fix of WEBrick library.
Mon Mar 3 23:34:13 2008 GOTOU Yuuzou <gotoyuzo@notwork.org>
* lib/webrick/httpservlet/filehandler.rb: should normalize path
separators in path_info to prevent directory traversal attacks
on DOSISH platforms.
reported by Digital Security Research Group [DSECRG-08-026].
* lib/webrick/httpservlet/filehandler.rb: pathnames which have
not to be published should be checked case-insensitively.
Mon Dec 3 08:13:52 2007 Kouhei Sutou <kou@cozmixng.org>
* test/rss/test_taxonomy.rb, test/rss/test_parser_1.0.rb,
test/rss/test_image.rb, test/rss/rss-testcase.rb: ensured
declaring XML namespaces.
- don't call the linker directly to build shared libraries,
use ${CC} -G
- link libsunmath statically, as it is provided by SUNWspro and
therefore not available on systems where the compiler is not
installed.
Basically, no change since previous update except Net::HTTP default
@enable_post_connection_check was wrongly set to true. (It might
cause compatibility problem.)
Approved by wiz@.
This is bug fix release of Ruby 1.8.6. Especially it fixes thread/eval
function problem on Mac OS X. It also contains an openssl extention's
portablity problem which was bad patch by pkgsrc.
For more detail, please refer CHANGES file.
RUBY_SITERIDIR.
It fixes install error of textproc/ruby-redcloth when ruby18-base didn't
biild with ruby-build-ri-db option.
Noted by obache@ via private mail and approved by wiz@.
Bump PKGREVISION.
- discontinue use of RUBY_PATCH_DATE.
- Introduce RUBY_PATCH_LEVEL.
pkgsrc's ruby tracks Ruby's patch release and avoid to maintain
its own patch files (with RUBY_PATCH_DATE).
Changes are too much, please see ChangeLog file.
- Include options.mk before rubyversion.mk, so PLIST for ri database
should be created suitably.
- make RUBY_RIDIR and its friends relative path to ${PREFIX}.
- Fix and improve handling of ${RUBY_RIDIR} handling and should
be fixed remaining ${RUBY_RIDIR} after pkg_delete ruby18-base.
(Noted by private mail from wiz@.)
Bump PKGREVISION of ruby18-base package.
- Many changes from 2006/9/6; see Changes file, please.
- Fixes another cgi.rb vulnerability:
http://jvn.jp/jp/JVN%2384798830/index.html
o Introduce ruby-build-ri-db PKG_OPTION which enable installing database
for Ruby's ri utility. Default is disabled and should be fix
PR pkg/34587.
(1) Don't use make's varibalbe in DESCR; fixes PR pkg/34920.
(2) Use --enable-wide-getaddrinfo on not only Linux but Solaris.
(3) Make sure to link libruby.so with proper -R linker option.
Thanks for Dan McMahill who reported and suggested fix to (2) and (3)
with private mail. And thanks for Takayoshi Kochi who reports PR pkg/34920.
Bump PKGREVISION.
pkgsrc changes:
* Add RUBY_DYNAMIC_DIRS which cause generating dynamic PLIST entries.
* Move using buildlinks to rubyversion.mk.
* Merge converters/ruby-iconv to ruby18-base.
Ruby changes:
* too may, see ChangeLog file or
http://eigenclass.org/hiki.rb?ruby+1.8.5+changelog
- Add two miscellaneous patches for openssl and yaml libraries.
They were left from last year, sigh.
- Add one more part for CVE-2006-3694.
Bump PKGREVISION.
INSTALL/DEINSTALL script creation within pkgsrc.
If an INSTALL or DEINSTALL script is found in the package directory,
it is automatically used as a template for the pkginstall-generated
scripts. If instead, they should be used simply as the full scripts,
then the package Makefile should set INSTALL_SRC or DEINSTALL_SRC
explicitly, e.g.:
INSTALL_SRC= ${PKGDIR}/INSTALL
DEINSTALL_SRC= # emtpy
As part of the restructuring of the pkginstall framework internals,
we now *always* generate temporary INSTALL or DEINSTALL scripts. By
comparing these temporary scripts with minimal INSTALL/DEINSTALL
scripts formed from only the base templates, we determine whether or
not the INSTALL/DEINSTALL scripts are actually needed by the package
(see the generate-install-scripts target in bsd.pkginstall.mk).
In addition, more variables in the framework have been made private.
The *_EXTRA_TMPL variables have been renamed to *_TEMPLATE, which are
more sensible names given the very few exported variables in this
framework. The only public variables relating to the templates are:
INSTALL_SRC INSTALL_TEMPLATE
DEINSTALL_SRC DEINSTALL_TEMPLATE
HEADER_TEMPLATE
The packages in pkgsrc have been modified to reflect the changes in
the pkginstall framework.
Ruby 1.8.4 are maintainous release of Ruby programming language.
Changes are too huge to list here, please see http://www.ruby-lang.org/.
And this package contains some bug fixes after release of 1.8.4.
Tue Dec 27 08:29:18 2005 GOTOU Yuuzou <gotoyuzo@notwork.org>
* ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLSocket#post_connection_chech):
treat wildcard character in commonName. [ruby-dev:28121]
Mon Dec 26 22:32:47 2005 Nobuyoshi Nakada <nobu@ruby-lang.org>
* eval.c (rb_eval), gc.c (gc_mark_children), node.h (NEW_ALIAS,
NEW_VALIAS), parse.y (fitem): allow dynamic symbols to
NODE_UNDEF and NODE_ALIAS.
backported from trunk. fixed: [ruby-dev:28105]
Mon Dec 26 08:50:36 2005 Yukihiro Matsumoto <matz@ruby-lang.org>
* eval.c (ev_const_get): fixed a bug in constant reference during
instance_eval. [yarv-dev:707]
* eval.c (ev_const_defined): ditto.
* lib/yaml.rb (YAML::add_domain_type): typo fixed. a patch from
Joel VanderWerf <vjoel at path.berkeley.edu>.
[ruby-talk:165285] [ruby-core:6995]
