Security fix with updating bundled RubyGems to 1.8.23 and several a few bug
fixes.
Fri Apr 20 12:40:19 2012 Eric Hodel <drbrain@segment7.net>
* lib/rubygems/ssl_certs/AddTrustExternalCARoot.pem: Removed to avoid
conflict with ca-bundle.pem
* lib/rubygems/ssl_certs/VerisignClass3PublicPrimaryCertificationAuthority-G2.pem:
ditto.
* lib/rubygems/ssl_certs/Entrust_net-Secure-Server-Certification-Authority.pem:
ditto.
Fri Apr 20 09:04:35 2012 Eric Hodel <drbrain@segment7.net>
* lib/rubygems: Apply the following security fixes to RubyGems 1.3.7:
RubyGems now disallows redirection from HTTPS to HTTP.
RubyGems now verifies SSL connections.
Patch by Hiroshi Nakamura.
* test/rubygems: ditto.
Overhaul buildlink3 processing of Ruby.
* Don't buildlink in ruby/rubyversion.mk any more but define
RUBY_USE_PTHREAD (use of pthread).
* In ruby/buildlink3.mk, buildlink via mk/pthread.buildlink3.mk as to
RUBY_USE_PTHREAD.
* Also the same logic in ruby/Makefile.common.
* Buildlink of bdb, libiconv, zlib, openssl in each ruby*-base/Makefile.
The maintainers of ruby have changed the shared library naming scheme for
FreeBSD and DragonFly:
For ruby18, it's libruby18.so.18 (last part = RUBY_VER)
For ruby19, it's libruby19.so.19 (last part = RUBY_VER)
for ruby193, it's libruby193.so.191 (last part derived from API, not version)
The rubyversion.mk was never updated to reflect that, and as a result ruby
1.9.3 has never built on DragonFly. This commit will allow
lang/ruby193-base package to build.
Implictly update lang/ruby193 and devel/ruby-mode (nothing change).
== Fixes
* Fix for Ruby OpenSSL module: Allow "0/n splitting" as a prevention
for the TLS BEAST attack
* Fixed: LLVM/clang support [Bug #5076]
* Fixed: GCC 4.7 support [Bug #5851]
* other bug fixes
For more detail, please refer:
http://svn.ruby-lang.org/repos/ruby/tags/v1_9_3_125/ChangeLog
Wed Feb 8 14:06:59 2012 Hiroshi Nakamura <nahi@ruby-lang.org>
* ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
It contains security fix for CVE-2011-4815 (DoS).
Wed Dec 28 21:34:23 2011 URABE Shyouhei <shyouhei@ruby-lang.org>
* string.c (rb_str_hash): randomize hash to avoid algorithmic
complexity attacks. CVE-2011-4815
* st.c (strhash): ditto.
* string.c (Init_String): initialization of hash_seed to be at the
beginning of the process.
* st.c (Init_st): ditto.
Thu Dec 8 11:57:04 2011 Tanaka Akira <akr@fsij.org>
* inits.c (rb_call_inits): call Init_RandomSeed at first.
* random.c (seed_initialized): defined.
(fill_random_seed): extracted from random_seed.
(make_seed_value): extracted from random_seed.
(rb_f_rand): initialize random seed at first.
(initial_seed): defined.
(Init_RandomSeed): defined.
(Init_RandomSeed2): defined.
(rb_reset_random_seed): defined.
(Init_Random): call Init_RandomSeed2.
Sat Dec 10 20:44:23 2011 Tanaka Akira <akr@fsij.org>
* lib/securerandom.rb: call OpenSSL::Random.seed at the
SecureRandom.random_bytes call.
insert separators for array join.
patch by Masahiro Tomita. [ruby-dev:44270]
Mon Oct 17 04:20:22 2011 Nobuyoshi Nakada <nobu@ruby-lang.org>
* mkconfig.rb: fix for continued lines. based on a patch from
Marcus Rueckert <darix AT opensu.se> at [ruby-core:20420].
Mon Oct 17 04:19:39 2011 Yukihiro Matsumoto <matz@ruby-lang.org>
* numeric.c (flo_cmp): Infinity is greater than any bignum
number. [ruby-dev:38672]
* bignum.c (rb_big_cmp): ditto.
Mon Oct 17 03:56:12 2011 Yusuke Endoh <mame@tsg.ne.jp>
* ext/openssl/ossl_x509store.c (ossl_x509store_initialize): initialize
store->ex_data.sk. [ruby-core:28907] [ruby-core:23971]
[ruby-core:18121]
* Use 18, 19 instead of 1.9, 2.0 for RUBY_VERSION_DEFAULT.
* Add 193 for Ruby 1.9.3, too.
* If RUBY_VERSION_SUPPORTED contains single version of Ruby, make package
force depends to the version.
* Move RUBY_SITE_SUBDIR to Makefile.common.
* Change RUBY_VERSION_SUFFIX to RUBY_VERSION_FULL.
* Remove small code for NetBSD 1.x.
* Change RUBY_DLEXT and RUBY_SLEXT by ${_OPSYS_SHLIB_TYPE} instead of
${OPSYS}'s value.
- Set RUBY_API_VERSION after RUBY_VERSION has decided.
- Change old RUBY_DOCDIR and RUBY_EXAMPLESDIR to RUBY_DOC and RUBY_EG in
comment.
- Fix shared libraries PLIST to support Mac OS X with introducing RUBY_SLEXT:
Shared library => .dylib
Extension library => .bundle
- Improve PRINT_PLIST_AWK to handle new shared libraries.
No functional change shoud be done and fix PR pkg/44050.
Ruby's patchlevel N reflect as "plN" instead of ".N" from Ruby 1.9.
ruby18-base-1.8.7.302
ruby19-base-1.9.2pl0
Still Ruby 1.9.2pl0 support is disabled.
* Introduce RUBY_API_VERSION.
* RUBY_BUILD_RDOC and RUBY_BUILD_RI controls build of rdoc/ri. But,
currently ruby18-base and ruby19-base according to PKG_OPTION.
* Define rubygem supporting macros.
* RUBY_HAS_ARCHLIB is deprecated.
* Many directory macros are changed to relative path against PREFIX and
some of them are their name.
* Fix critical problem of BigDecimal class in 1.8.7-p173.
Fri Jun 12 16:36:44 2009 Yukihiro Matsumoto <matz@ruby-lang.org>
* ext/bigdecimal/bigdecimal.c (VpToString): fixed a bug introduced
in r23613. [ruby-talk:338957]
These packages are implicitly updated with distfile update only.
databases/ruby-gdbm
devel/ruby-readline
lang/ruby
lang/ruby18
Here's quote from release announce:
Sorry for a fuss, but it turned out that taintness check of dl in last
releases I made was incomplete. Here are fixes for that.
And relevant changes:
Mon Aug 11 09:37:17 2008 Yukihiro Matsumoto <matz@ruby-lang.org>
* ext/dl/dl.c (rb_str_to_ptr): should propagate taint to dlptr.
* ext/dl/dl.c (rb_ary_to_ptr): ditto.
* ext/dl/sym.c (rb_dlsym_call): should check taint of DLPtrData as
well.
* Update RUBY18_VERSION to 1.8.7 and RUBY18_PATCHLEVEL to 17.
* Use vendor_ruby instead for site_ruby.
* Introduce macros for relative path and use them instead of old absolete
path.
RUBY_LIB lib/ruby/${RUBY_VER_DIR}
RUBY_ARCHLIB ${RUBY_LIB}/${RUBY_ARCH}
RUBY_SITELIB_BASE lib/ruby/site_ruby
RUBY_SITELIB ${RUBY_SITELIB_BASE}/${RUBY_VER_DIR}
RUBY_SITEARCHLIB ${RUBY_SITELIB}/${RUBY_ARCH}
RUBY_VENDORLIB_BASE lib/ruby/vendor_ruby
RUBY_VENDORLIB ${RUBY_VENDORLIB_BASE}/${RUBY_VER_DIR}
RUBY_VENDORARCHLIB ${RUBY_VENDORLIB}/${RUBY_ARCH}
RUBY_DOC share/doc/${RUBY_NAME}
RUBY_EG share/examples/${RUBY_NAME}
Old these macros are removed after 2008Q2 branch.
RUBY_LIBDIR
RUBY_ARCHLIBDIR
RUBY_SITELIBDIR
RUBY_SITEARCHLIBDIR
RUBY_VENDORLIBDIR
RUBY_VENDORARCHLIBDIR
RUBY_DOCDIR
RUBY_EXAMPLESDIR
* update PRINT_PLIST_AWK macro to reality and move some of them from
ruby/modules.mk to ruby/rubyversion.mk.
It main chagnes are security fix of WEBrick library.
Mon Mar 3 23:34:13 2008 GOTOU Yuuzou <gotoyuzo@notwork.org>
* lib/webrick/httpservlet/filehandler.rb: should normalize path
separators in path_info to prevent directory traversal attacks
on DOSISH platforms.
reported by Digital Security Research Group [DSECRG-08-026].
* lib/webrick/httpservlet/filehandler.rb: pathnames which have
not to be published should be checked case-insensitively.
Mon Dec 3 08:13:52 2007 Kouhei Sutou <kou@cozmixng.org>
* test/rss/test_taxonomy.rb, test/rss/test_parser_1.0.rb,
test/rss/test_image.rb, test/rss/rss-testcase.rb: ensured
declaring XML namespaces.
- discontinue use of RUBY_PATCH_DATE.
- Introduce RUBY_PATCH_LEVEL.
pkgsrc's ruby tracks Ruby's patch release and avoid to maintain
its own patch files (with RUBY_PATCH_DATE).
Changes are too much, please see ChangeLog file.
- Include options.mk before rubyversion.mk, so PLIST for ri database
should be created suitably.
- make RUBY_RIDIR and its friends relative path to ${PREFIX}.
- Fix and improve handling of ${RUBY_RIDIR} handling and should
be fixed remaining ${RUBY_RIDIR} after pkg_delete ruby18-base.
(Noted by private mail from wiz@.)
Bump PKGREVISION of ruby18-base package.
