Quote from release announce:
Good day to release a ruby, no?
That's definitely one of the reason why I do this now, but there are
others. One thing is to backport fixes for CVE-2013-1821, which was disclosed
earlier. The other is to fix CVE-2013-4073, whose details are available soon
I believe. People still using 1.8.7 should consider upgrading because the
fixes are for security.
ChangeLog.
Thu Jun 27 20:55:23 2013 URABE Shyouhei <shyouhei@ruby-lang.org>
* test/openssl/test_ssl.rb: Oops, sorry!
Thu Jun 27 20:21:18 2013 URABE Shyouhei <shyouhei@ruby-lang.org>
* ext/openssl/lib/openssl/ssl-internal.rb (OpenSSL::SSL#verify_certificate_identity):
fix hostname verification. Patch by nahi.
* test/openssl/test_ssl.rb (OpenSSL#test_verify_certificate_identity):
test for above.
Sat May 18 23:34:50 2013 Kouhei Sutou <kou@cozmixng.org>
* lib/rexml/document.rb: move entity_expansion_text_limit accessor to ...
* lib/rexml/rexml.rb: ... here to make rexml/text independent from
REXML::Document. It causes circular require.
* lib/rexml/document.rb (REXML::Document.entity_expansion_text_limit):
deprecated.
* lib/rexml/document.rb (REXML::Document.entity_expansion_text_limit=):
deprecated.
* lib/rexml/text.rb: add missing require "rexml/rexml" for
REXML.entity_expansion_text_limit.
Reported by Robert Ulejczyk. Thanks!!! [ruby-core:52895] [Bug #7961]
Sat May 18 23:34:50 2013 Aaron Patterson <aaron@tenderlovemaking.com>
* lib/rexml/document.rb (REXML::Document.entity_expansion_text_limit):
new attribute to read/write entity expansion text limit. the default
limit is 10Kb.
* lib/rexml/text.rb (REXML::Text.unnormalize): check above attribute.
No security fix, but bug fix only,
Fri Jun 29 21:26:05 2012 Nobuyoshi Nakada <nobu@ruby-lang.org>
* eval.c (stack_extend): prevent ALLOCA_N, which reserves a memory
space with for restoring machine stack stored in each threads, from
optimization out. backport r34278 from the trunk.
Mon Jun 18 18:32:43 2012 Martin Bosslet <Martin.Bosslet@googlemail.com>
* backport r32609 from trunk.
* ext/openssl/ossl_hmac.c: Revert checking return type of
HMAC_Init_ex as it is not compatible with OpenSSL < 1.0.0.
Mon Jun 18 18:32:43 2012 Martin Bosslet <Martin.Bosslet@googlemail.com>
* backport r32606 from trunk.
* ext/openssl/ossl_digest.c: Check return value of EVP_DigestInit_ex.
* ext/openssl/ossl_hmac.c: Check return value of HMAC_Init_ex.
Thanks, Jared Jennings, for the patch.
[ Ruby 1.9 - Bug #4944 ] [ruby-core:37670]
Sun Jun 10 03:00:21 2012 Nobuyoshi Nakada <nobu@ruby-lang.org>
* eval.c (ruby_setjmp): need to save the stack after r2 (the Table
of Contents on ppc64) is saved onto the stack by getcontext().
based on <https://bugzilla.redhat.com/show_bug.cgi?id=628715>.
Bug#4411
Thu Jun 7 19:00:35 2012 Kenta Murata <mrkn@mrkn.jp>
* ext/bigdecimal/bigdecimal.c (VpMemAlloc): Fixes a bug reported
by Drew Yao <ayao at apple.com>
Wed Jun 6 15:09:00 2012 Nobuyoshi Nakada <nobu@ruby-lang.org>
* eval.c (rb_thread_join), ext/thread/thread.c (wake_one): adjusts
targets of rest waiting threads to join. [ruby-core:23457]
Wed Jun 6 14:44:13 2012 Kenta Murata <mrkn@mrkn.jp>
* bignum.c (rb_big2dbl), test/ruby/test_bignum.rb (test_to_f):
A negative Bignum out of Float range should be converted to -Infinity.
[ruby-core:30492] [Bug #3362]
Wed Jun 6 14:06:02 2012 Tanaka Akira <akr@fsij.org>
* lib/webrick/utils.rb: fix fcntl call.
* lib/drb/unix.rb: ditto.
Mon May 21 16:29:47 2012 Akinori MUSHA <knu@iDaemons.org>
* ext/syslog/syslog.c (mSyslog_inspect): Make sure self is a
module before calling rb_class2name().
Fri May 11 14:09:48 2012 Nobuyoshi Nakada <nobu@ruby-lang.org>
* ext/bigdecimal/bigdecimal.c (PUSH): to prevent VALUE from GC,
must not cast it to unsigned long, which may be shorter than
VALUE, and the result can be mere garbage.
Sat Apr 14 18:51:41 2012 Nobuyoshi Nakada <nobu@ruby-lang.org>
* bignum.c (rb_big2str0): prevent working clone from
GC. [exerb-dev:0578]. patched by MURASE Masamitsu
<masamitsu.murase AT gmail.com> at [exerb-dev:0580]
Fri Mar 2 11:44:33 2012 Nobuyoshi Nakada <nobu@ruby-lang.org>
* marshal.c (mark_dump_arg): mark destination string. patch by
Vit Ondruch. [Bug #4339]
* marshal.c (clear_dump_arg, clear_load_arg): clean up also data
tables as same as symbols tables.
Fri Mar 2 11:44:33 2012 Nobuyoshi Nakada <nobu@ruby-lang.org>
* marshal.c (struct {dump,load}_arg): manage with dfree, instead
of using local variable which may be moved by context switch.
Wed Feb 8 14:06:59 2012 Hiroshi Nakamura <nahi@ruby-lang.org>
* ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
It contains security fix for CVE-2011-4815 (DoS).
Wed Dec 28 21:34:23 2011 URABE Shyouhei <shyouhei@ruby-lang.org>
* string.c (rb_str_hash): randomize hash to avoid algorithmic
complexity attacks. CVE-2011-4815
* st.c (strhash): ditto.
* string.c (Init_String): initialization of hash_seed to be at the
beginning of the process.
* st.c (Init_st): ditto.
Thu Dec 8 11:57:04 2011 Tanaka Akira <akr@fsij.org>
* inits.c (rb_call_inits): call Init_RandomSeed at first.
* random.c (seed_initialized): defined.
(fill_random_seed): extracted from random_seed.
(make_seed_value): extracted from random_seed.
(rb_f_rand): initialize random seed at first.
(initial_seed): defined.
(Init_RandomSeed): defined.
(Init_RandomSeed2): defined.
(rb_reset_random_seed): defined.
(Init_Random): call Init_RandomSeed2.
Sat Dec 10 20:44:23 2011 Tanaka Akira <akr@fsij.org>
* lib/securerandom.rb: call OpenSSL::Random.seed at the
SecureRandom.random_bytes call.
insert separators for array join.
patch by Masahiro Tomita. [ruby-dev:44270]
Mon Oct 17 04:20:22 2011 Nobuyoshi Nakada <nobu@ruby-lang.org>
* mkconfig.rb: fix for continued lines. based on a patch from
Marcus Rueckert <darix AT opensu.se> at [ruby-core:20420].
Mon Oct 17 04:19:39 2011 Yukihiro Matsumoto <matz@ruby-lang.org>
* numeric.c (flo_cmp): Infinity is greater than any bignum
number. [ruby-dev:38672]
* bignum.c (rb_big_cmp): ditto.
Mon Oct 17 03:56:12 2011 Yusuke Endoh <mame@tsg.ne.jp>
* ext/openssl/ossl_x509store.c (ossl_x509store_initialize): initialize
store->ex_data.sk. [ruby-core:28907] [ruby-core:23971]
[ruby-core:18121]
* The FileUtils Vulnerability
http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/
* The $SAFE Vulnerability
Fri Feb 18 21:18:55 2011 Shugo Maeda <shugo@ruby-lang.org>
* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
Test for below.
Fri Feb 18 21:18:55 2011 URABE Shyouhei <shyouhei@ruby-lang.org>
* error.c (exc_to_s): untainted strings can be tainted via
Exception#to_s, which enables attackers to overwrite sane strings.
Reported by: Yusuke Endoh <mame at tsg.ne.jp>.
* error.c (name_err_to_s): ditto.
Fri Feb 18 21:17:22 2011 Shugo Maeda <shugo@ruby-lang.org>
* lib/fileutils.rb (FileUtils::remove_entry_secure): there is a
race condition in the case where the given path is a directory,
and some other user can move that directory, and create a
symlink while this method is executing.
Reported by: Nicholas Jefferson <nicholas at pythonic.com.au>
Fri Feb 18 19:46:46 2011 NAKAMURA Usaku <usa@ruby-lang.org>
* win32/win32.c (init_stdhandle): backport mistake of r29382.
some code are needless in ruby 1.8.
[ruby-core:34579]
Fri Feb 18 19:22:17 2011 URABE Shyouhei <shyouhei@ruby-lang.org>
* configure.in: revert revision r29854. This revision introduced
binary incompatibilities on some circumstances. The bug that
revision was fixing gets reopened by this reversion.
[ruby-dev:43152] cf. [Bug #2553]
* Fix critical problem of BigDecimal class in 1.8.7-p173.
Fri Jun 12 16:36:44 2009 Yukihiro Matsumoto <matz@ruby-lang.org>
* ext/bigdecimal/bigdecimal.c (VpToString): fixed a bug introduced
in r23613. [ruby-talk:338957]
Mon Jun 8 10:58:41 2009 NAKAMURA Usaku <usa@ruby-lang.org>
* eval.c (rb_thread_schedule): mswin32 doesn't have F_GETFD, so check
with another method.
Mon Jun 8 08:15:36 2009 Yukihiro Matsumoto <matz@ruby-lang.org>
* ext/bigdecimal/bigdecimal.c (VpAlloc): avoid ALLOCA_N() to avoid
segmentation fault caused by (insanely) long decimal values.
backported from 1.9. CVE-2009-1904
* ext/bigdecimal/bigdecimal.c (BigDecimal_dump, BigDecimal_to_i,
BigDecimal_to_f, BigDecimal_to_s, BigDecimal_split,
BigDecimal_inspect): ditto.
Mon Jun 8 08:15:36 2009 Yukihiro Matsumoto <matz@ruby-lang.org>
* ext/bigdecimal/bigdecimal.c (BigDecimal_to_f): returns Inf if
exp is bigger than DBL_MANT_DIG.
Wed Jun 3 21:16:30 2009 Tanaka Akira <akr@fsij.org>
* file.c: include fcntl.h for O_RDONLY on Solaris.
Wed Jun 3 21:09:56 2009 Nobuyoshi Nakada <nobu@ruby-lang.org>
* util.c (rv_strdup): macro to duplicate nul-terminated string.
[ruby-core:22852]
* util.c (ruby_dtoa): allocates one more byte to get rid of buffer
overrun. a patch from Charlie Savage at [ruby-core:22604].
Wed Jun 3 21:09:56 2009 Nobuyoshi Nakada <nobu@ruby-lang.org>
* util.c (ruby_dtoa): allocates one more byte to get rid of buffer
overrun. a patch from Charlie Savage at [ruby-core:22604].
Wed Jun 3 21:05:44 2009 Nobuyoshi Nakada <nobu@ruby-lang.org>
* ext/bigdecimal/bigdecimal.c (gfDebug): uncommented out.
[ruby-core:22600]
Wed Jun 3 20:54:23 2009 Nobuyoshi Nakada <nobu@ruby-lang.org>
* eval.c (rb_eval): needs to guard intermediate string objects.
based on a patch from Brent Roman <brent AT mbari.org> a
[ruby-core:22584].
Tue May 26 21:24:01 2009 URABE Shyouhei <shyouhei@ruby-lang.org>
* Makefile.in (update-rubyspec, test-rubyspec): Catch up to
rubyspec merge. A patch by Brian Ford at [ruby-core:21032]
Tue May 26 21:21:49 2009 Akinori MUSHA <knu@iDaemons.org>
* lib/soap/mimemessage.rb (MIMEMessage#to_s): Fix a fatal
method name typo. [Bug #1173]
Tue May 26 21:16:55 2009 Nobuyoshi Nakada <nobu@ruby-lang.org>
* file.c (rb_file_s_extname): fix for spaces before extention.
[ruby-dev:38044]
Tue May 26 21:09:21 2009 Nobuyoshi Nakada <nobu@ruby-lang.org>
* win32/win32.c (_CrtDbgReportW): prevent from false positive
assertions in msvcrtd. [ruby-core:22116]
Tue May 26 21:02:13 2009 Nobuyoshi Nakada <nobu@ruby-lang.org>
* lib/ostruct.rb (OpenStruct#new_ostruct_member): checks if frozen.
[ruby-talk:328195], [ruby-core:22142]
Tue May 26 21:00:08 2009 Nobuyoshi Nakada <nobu@ruby-lang.org>
* lib/ostruct.rb (OpenStruct#inspect): fixed the recursion check.
Patch by Kornelius Kalnbach. [ruby-core:20992].
* test/ostruct/test_ostruct.rb: test for inspect.
Patch by Kornelius Kalnbach. [ruby-core:20992].
Tue May 26 20:50:32 2009 Tanaka Akira <akr@fsij.org>
* eval.c (rb_thread_schedule): handle EBADF of select as well.
[ruby-core:21264]
This release is counterpart of 1.8.6-p368, so many bugs are fixed
since the latest 1.8.7. Check the ChangeLog for more details.
Especialy, including workarounds for CVE-2007-1558 and CVE-2008-1447.
It fixes OCPS(Online Certificate Status Protocol) verify method wasn't always
return false when verify was failed in OpenSSL's correspondence library.
(It might be possible security risk for using OCPS.
Fix small PLIST improvement, too.
Bump PKGREVISION.
These packages are implicitly updated with distfile update only.
databases/ruby-gdbm
devel/ruby-readline
lang/ruby
lang/ruby18
Here's quote from release announce:
Sorry for a fuss, but it turned out that taintness check of dl in last
releases I made was incomplete. Here are fixes for that.
And relevant changes:
Mon Aug 11 09:37:17 2008 Yukihiro Matsumoto <matz@ruby-lang.org>
* ext/dl/dl.c (rb_str_to_ptr): should propagate taint to dlptr.
* ext/dl/dl.c (rb_ary_to_ptr): ditto.
* ext/dl/sym.c (rb_dlsym_call): should check taint of DLPtrData as
well.
pkgsrc change:
Apply fix for sunpro compilre, provided by PR pkg/37771 from
Naoto Morishima.
This release includes fix for multiple vulnerabilities.
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
* Several vulnerabilities in safe level
* DoS vulnerability in WEBrick
* Lack of taintness check in dl
* DNS spoofing vulnerability in resolv.rb
Full changes are too many, please refer ChangeLog file.
This is security fix:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities
Fri Jun 20 18:25:18 2008 Nobuyoshi Nakada <nobu@ruby-lang.org>
* string.c (rb_str_buf_append): should infect.
Fri Jun 20 16:33:09 2008 Nobuyoshi Nakada <nobu@ruby-lang.org>
* array.c (rb_ary_store, rb_ary_splice): not depend on unspecified
behavior at integer overflow.
* string.c (str_buf_cat): ditto.
Wed Jun 18 22:24:46 2008 URABE Shyouhei <shyouhei@ruby-lang.org>
* array.c (ary_new, rb_ary_initialize, rb_ary_store,
rb_ary_aplice, rb_ary_times): integer overflows should be
checked. based on patches from Drew Yao <ayao at apple.com>
fixed CVE-2008-2726
* string.c (rb_str_buf_append): fixed unsafe use of alloca,
which led memory corruption. based on a patch from Drew Yao
<ayao at apple.com> fixed CVE-2008-2726
* sprintf.c (rb_str_format): backported from trunk.
* intern.h: ditto.
Tue Jun 17 15:09:46 2008 Nobuyoshi Nakada <nobu@ruby-lang.org>
* file.c (file_expand_path): no need to expand root path which has no
short file name. [ruby-dev:35095]
Sun Jun 15 19:27:40 2008 Akinori MUSHA <knu@iDaemons.org>
* configure.in: Fix $LOAD_PATH. Properly expand vendor_ruby
directories; submitted by Takahiro Kambe <taca at
back-street.net> in [ruby-dev:35099].
It main chagnes are security fix of WEBrick library.
Mon Mar 3 23:34:13 2008 GOTOU Yuuzou <gotoyuzo@notwork.org>
* lib/webrick/httpservlet/filehandler.rb: should normalize path
separators in path_info to prevent directory traversal attacks
on DOSISH platforms.
reported by Digital Security Research Group [DSECRG-08-026].
* lib/webrick/httpservlet/filehandler.rb: pathnames which have
not to be published should be checked case-insensitively.
Mon Dec 3 08:13:52 2007 Kouhei Sutou <kou@cozmixng.org>
* test/rss/test_taxonomy.rb, test/rss/test_parser_1.0.rb,
test/rss/test_image.rb, test/rss/rss-testcase.rb: ensured
declaring XML namespaces.
Basically, no change since previous update except Net::HTTP default
@enable_post_connection_check was wrongly set to true. (It might
cause compatibility problem.)
Approved by wiz@.
This is bug fix release of Ruby 1.8.6. Especially it fixes thread/eval
function problem on Mac OS X. It also contains an openssl extention's
portablity problem which was bad patch by pkgsrc.
For more detail, please refer CHANGES file.
- discontinue use of RUBY_PATCH_DATE.
- Introduce RUBY_PATCH_LEVEL.
pkgsrc's ruby tracks Ruby's patch release and avoid to maintain
its own patch files (with RUBY_PATCH_DATE).
Changes are too much, please see ChangeLog file.
- Many changes from 2006/9/6; see Changes file, please.
- Fixes another cgi.rb vulnerability:
http://jvn.jp/jp/JVN%2384798830/index.html
o Introduce ruby-build-ri-db PKG_OPTION which enable installing database
for Ruby's ri utility. Default is disabled and should be fix
PR pkg/34587.
(1) Don't use make's varibalbe in DESCR; fixes PR pkg/34920.
(2) Use --enable-wide-getaddrinfo on not only Linux but Solaris.
(3) Make sure to link libruby.so with proper -R linker option.
Thanks for Dan McMahill who reported and suggested fix to (2) and (3)
with private mail. And thanks for Takayoshi Kochi who reports PR pkg/34920.
Bump PKGREVISION.
pkgsrc changes:
* Add RUBY_DYNAMIC_DIRS which cause generating dynamic PLIST entries.
* Move using buildlinks to rubyversion.mk.
* Merge converters/ruby-iconv to ruby18-base.
Ruby changes:
* too may, see ChangeLog file or
http://eigenclass.org/hiki.rb?ruby+1.8.5+changelog
- Add two miscellaneous patches for openssl and yaml libraries.
They were left from last year, sigh.
- Add one more part for CVE-2006-3694.
Bump PKGREVISION.
