Update Ruby on Rails to 6.0.3.2.
www/ruby-actionpack60 is the really updated package and other packages
have no change except version.
CHANGELOG of www/ruby-actionpack60 is here:
## Rails 6.0.3.2 (June 17, 2020) ##
* [CVE-2020-8185] Only allow ActionableErrors if
show_detailed_exceptions is enabled
ruby26-base and beyond don't need this patch anymore. They get the
configuration directory from Gem::ConfigFile::SYSTEM_CONFIG_PATH, which
is set to RbConfig::CONFIG["sysconfdir"], which in turn is set to
PKGSYSCONFDIR.
Update ruby24-base (and ruby24) to 2.4.10.
This release includes a security fix. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
Ruby 2.4 is now under the state of the security maintenance phase, until the
end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. Thus, this release would be the last of Ruby 2.4 series. We
recommend you immediately upgrade Ruby to newer versions, such as 2.7 or 2.6
or 2.5.
Update ruby25-base (and ruby25) to 2.5.8.
2.5.8 (2020-03-31)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
* CVE-2020-10933: Heap exposure vulnerability in the socket library
Update ruby27-base (and ruby27) to 2.7.1.
2.7.1 (2020-03-31)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
* CVE-2020-10933: Heap exposure vulnerability in the socket library
Update ruby26-base (and ruby26 related packages) to 2.6.6.
2.6.6 (2020-03-31)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
* CVE-2020-10933: Heap exposure vulnerability in the socket library
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Change default vesion of Ruby from 2.4.x to 2.6.x.
* Ruby 2.7 will be released within this year.
* Ruby 2.6.x is stable enough and actively maintained.
* Ryby 2.5.x will be in security maintenance phase after
release of Ruby 2.7.
* Ruby 2.4.x will be EOL after 31th March 2020.
Replace RUBY_BUILD_RDOC and RUBY_BUILD_RI with RUBY_BUILD_DOCUMENT since
rdoc's --no-rdoc and --no-ri options are deprecated almost 8 years ago
and these options are replaced with -no-document option.
No package should be changed.
Update ruby26-base and ruby26 packges to 2.6.5
pkgsrc chagnes
* fix warnings of pkglint.
Quote from release announce:
Ruby 2.6.5 (2019-10-01)
This release includes security fixes. Please check the topics below for
details.
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick's Digest access authentication
Update ruby25-base, ruby25 and ruby25-mode packges to 2.5.7.
pkgsrc chagnes
* fix warnings of pkglint.
Quote from release announce:
Ruby 2.5.7 (2019-10-01)
This release includes security fixes as listed below. Please check the
topics below for details.
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick's Digest access authentication
Update ruby24-base and related packges to 2.4.9.
pkgsrc chagnes
* fix warnings of pkglint.
Quote from release announce:
Ruby 2.4.8 (2019-10-01)
This release includes security fixes. Please check the topics below for
details.
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick¡Çs Digest access authentication
Ruby 2.4.9 (2019-10-02)
This release is a re-package of 2.4.8 because the previous Ruby 2.4.8
release tarball does not install. (See [Bug #16197] in detail.) There are no
essential change except their version numbers between 2.4.8 and 2.4.9.
Ruby 2.4 is now under the state of the security maintenance phase, until the
end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. We recommend you start planning the migration to newer versions of
Ruby, such as 2.6 or 2.5.
Update lang/ruby26-base and lang/ruby26 to 2.6.4.
Ruby 2.6.4 (2019-08-28)
Ruby 2.6.4 has been released.
This release includes a security fix of rdoc. Please check the topics below
for details.
* Multiple jQuery vulnerabilities in RDoc
See the commit logs for changes in detail.
Update ruby25-base/ruby25 to 2.5.6.
Ruby 2.5.6 (2019-08-28)
Ruby 2.5.6 has been released.
This release includes about 40 bug fixes after the previous release, and also includes a security fix. Please check the topics below for details.
* Multiple jQuery vulnerabilities in RDoc
See the commit log for details.
2.4.7 (2019-08-28)
Ruby 2.4.7 has been released.
This release includes a security fix. Please check the topics below for
details.
* Multiple jQuery vulnerabilities in RDoc
Ruby 2.4 is now under the state of the security maintenance phase, until
the end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. We recommend you start planning the migration to newer versions of
Ruby, such as 2.6 or 2.5.
Update ruby26{,-base} to 2.6.3. Here is release announce:
Ruby 2.6.3 Released
Posted by naruse on 17 Apr 2019
Ruby 2.6.3 has been released.
This release adds support for New Japanese Era “令和” (Reiwa). It updates
the Unicode version to 12.1 beta (#15195), and updates date library (#15742).
This release also includes some bug fixes. See details commit logs.
* vulnerabilities of rubygems are already fixed in 2.4.5nb1.
Ruby 2.4.6 Released 1 Apr 2019
Ruby 2.4.6 has been released.
This release includes about 20 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* Multiple vulnerabilities in RubyGems
See the commit log for details.
After this release, we will end the normal maintenance phase of Ruby 2.4, and
start the security maintenance phase of it. This means that after the release
of 2.4.6 we will never backport any bug fixes to 2.4 except security fixes.
The term of the security maintenance phase is scheduled for 1 year. By the
end of this term, official support of Ruby 2.4 will be over. Therefore, we
recommend that you start planning to upgrade to Ruby 2.6 or 2.5.
Update ruby26{,-base} to 2.6.2.
Quote from release announce.
Ruby 2.6.2 (2019-03-13)
This release includes bug fixes and a security update of the bundled
RubyGems.
See details in Multiple vulnerabilities in RubyGems and the commit logs.
Update ruby25{,-base} to 2.5.5.
Quote from release announce:
Ruby 2.5.4 (2019-03-13)
This release includes bug fixes and a security update of the bundled
RubyGems. See details in Multiple vulnerabilities in RubyGems and the commit
logs.
Ruby 2.5.5 (2019-03-15)
This release includes a bug fix for the deadlock in the
multi-thread+multi-process (using Process.fork) applications (ex: puma).
Ruby 2.3.8 Released
Ruby 2.3.8 has been released. This release includes several security
fixes. Please check the topics below for details.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly This release also includes a non-security fix to support
Visual Studio 2014 with Windows 10 October 2018 Update for
maintenance reasons.
Ruby 2.3 is now under the state of the security maintenance phase,
until the end of the March of 2019. After the date, maintenance of
Ruby 2.3 will be ended. We recommend you start planning migration to
newer versions of Ruby, such as 2.5 or 2.4.
Ruby 2.5.2 Released
Ruby 2.5.2 has been released.
This release includes some bug fixes and some security fixes.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
There are also some bug fixes. See commit logs for more details.
Ruby 2.5.3 Released
Ruby 2.5.3 has been released.
There were some missing files in the release packages of 2.5.2 which are
necessary for building. See details in [Bug #15232].
This release is just for fixing the packaging issue. This release doesn’t
contain any additional bug fixes from 2.5.2.
Ruby 2.4.5 Released
Ruby 2.4.5 has been released.
This release includes about 40 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
See the commit logs for details.
Improve update-gemspec.rb script which handles OVERRIDE_GEMSPEC.
When overriding depending versions, clear completely old dependencies.
Previously, it replace first dependency only and it cause incomplete
ruby gem's dependency in a few case.
Ruby 2.2.10 Released Posted by usa on 28 Mar 2018
Ruby 2.2.10 has been released. This release includes several security
fixes. Please check the topics below for details.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
Ruby 2.2 is under the state of the security maintenance phase, until the end
of the March of 2018. After the date, maintenance of Ruby 2.2 will be ended.
So, this release is expected to be the last release of Ruby 2.2. We will
never make a new release of Ruby 2.2 unless Ruby 2.2.10 has a serious
regression bug. We recommend you migrating to newer versions of Ruby, such as
2.5.
Ruby 2.3.7 Released Posted by usa on 28 Mar 2018
Ruby 2.3.7 has been released.
This release includes about 70 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
See the ChangeLog for details.
After this release, we will end the normal maintenance phase of Ruby 2.3, and
start the security maintenance phase of it. This means that after the release
of 2.3.7 we will never backport any bug fixes to 2.3 except security fixes.
The term of the security maintenance phase is scheduled for 1 year. By the
end of this term, official support of Ruby 2.3 will be over. Therefore, we
recommend that you start planning to upgrade to Ruby 2.5 or 2.4.
Ruby 2.5.1 Released Posted by naruse on 28 Mar 2018
Ruby 2.5.1 has been released.
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes. See commit logs for more details.
Ruby 2.4.4 Released Posted by nagachika on 28 Mar 2018
Ruby 2.4.4 has been released.
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes. See commit logs for more details.
The actual fix as been done by "pkglint -F */*/buildlink3.mk", and was
reviewed manually.
There are some .include lines that still are indented with zero spaces
although the surrounding .if is indented. This is existing practice.
Ruby 2.2.9 Released
Posted by usa on 14 Dec 2017
Ruby 2.2.9 has been released. This release includes several security
fixes. Please check the topics below for details.
* CVE-2017-17405: Command injection vulnerability in Net::FTP
* Unsafe Object Deserialization Vulnerability in RubyGems
Ruby 2.2 is now under the state of the security maintenance phase, until the
end of the March of 2018. After the date, maintenance of Ruby 2.2 will be
ended. We recommend you start planning migration to newer versions of Ruby,
such as 2.4 or 2.3.
Update ruby24-base/ruby24 to 2.4.3.
Ruby 2.4.3 Released
Posted by nagachika on 14 Dec 2017
Ruby 2.4.3 has been released.
This release includes some bug fixes and a security fix.
* CVE-2017-17405: Command injection vulnerability in Net::FTP
There are also som bug fixes. See commit logs for more details.
Update ruby23-base/ruby23 to 2.3.6.
Ruby 2.3.6 has been released.
This release includes about 10 bug fixes after the previous release,
and also includes several security fixes. Please check the topics
below for details.
* CVE-2017-17405: Command injection vulnerability in Net::FTP
* Unsafe Object Deserialization Vulnerability in RubyGems
See the ChangeLog for details.
Ruby 2.4.2 Released Posted by nagachika on 14 Sep 2017
We are pleased to announce the release of Ruby 2.4.2. This release contains
some security fixes.
* CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
* CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
* CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 docod
* CVE-2017-14064: Heap exposure in generating JSON
* Multiple vulnerabilities in RubyGems
* Update bundled libyaml to version 0.1.7.
There are also many bug-fixes. See commit logs for more details.
ruby23 packages to 2.3.5.
pkgsrc change: clean up PLIST.
Ruby 2.3.5 Released Posted by usa on 14 Sep 2017
Ruby 2.3.5 has been released.
This release includes about 70 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
* CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
* CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 docode
* CVE-2017-14064: Heap exposure vulnerability in generating JSON
* Multiple vulnerabilities in RubyGems
* Updated bundled libyaml to version 0.1.7
See the ChangeLog for details.
pkgsrc change: clean up PILST.
Ruby 2.2.8 Released Posted by usa on 14 Sep 2017
Ruby 2.2.8 has been released. This release includes several security
fixes. Please check the topics below for details.
* CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
* CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
* CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 docode
* CVE-2017-14064: Heap exposure vulnerability in generating JSON
* Multiple vulnerabilities in RubyGems
* Updated bundled libyaml to version 0.1.7
Ruby 2.2 is now under the state of the security maintenance phase, until the
endo of the March of 2018. After the date, maintenance of Ruby 2.2 will be
ended. We recommend you start planning migration to newer versions of Ruby,
such as 2.4 or 2.3.
and rails42.
* Rename RUBY_RAILS_VERSION to RAILS_VERSION.
* Remove detection of installed Ruby on Rails.
* Add ${RUBY_RAILS} to PKGBASE of each Ruby on Rails' pacakge.
