This includes a fix for CVE-2013-4287 in rubygems.
=== 2.0.8 / 2013-09-09
Security fixes:
* RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a
backtracking in Gem::Version validation. See CVE-2013-4287 for full details
including vulnerable APIs. Fixed versions include 2.0.8, 1.8.26 and
1.8.23.1 (for Ruby 1.9.3). Issue #626 by Damir Sharipov.
Bug fixes:
* Fixed Gem.clear_paths when Security is defined at top-level. Pull request
#625 by elarkin
=== 2.0.7 / 2013-08-15
* Extensions may now be built in parallel (therefore gems may be installed in
parallel). Bug #607 by Hemant Kumar.
* Changed broken link to RubyGems Bookshelf to point to RubyGems guides. Ruby
pull request #369 by 謝致邦.
* Fixed various test failures due to platform differences or poor tests.
Patches by Yui Naruse and Koichi Sasada.
* Fixed documentation for Kernel#require.
=== 2.0.6 / 2013-07-24
Bug fixes:
* Fixed the `--no-install` and `-I` options to `gem list` and friends. Bug
#593 by Blargel.
* Fixed crash when installing gems with extensions under the `-V` flag. Bug
#601 by Nick Hoffman.
* Fixed race condition retrieving HTTP connections in Gem::Request on JRuby.
Bug #597 by Hemant Kumar.
* Fixed building extensions on ruby 1.9.3 under mingw. Bug #594 by jonforums,
Bug #599 by Chris Riesbeck
* Restored default of remote search to `gem search`.
=== 2.0.5 / 2013-07-11
Bug fixes:
* Fixed building of extensions that run ruby in their makefiles. Bug #589 by
Zachary Salzbank.
=== 2.0.4 / 2013-07-09
Bug fixes:
* Fixed error caused by gem install not finding the right platform for your
platform. Bug #576 by John Anderson
* Fixed pushing gems with the default host. Bug #495 by Utkarsh Kukreti
* Improved unhelpful error message from `gem owner --remove`. Bug #488 by
Steve Klabnik
* Fixed typo in `gem spec` help. Pull request #563 by oooooooo
* Fixed creation of build_info with --install-dir. Bug #457 by Vít Ondruch.
* RubyGems converts non-string dependency names to strings now. Bug #505 by
Terence Lee
* Outdated prerelease versions are now listed in `gem outdated`.
* RubyGems now only calls fsync() on the specification when installing, not
every file from the gem. This improves the performance of gem installation
on some systems. Pull Request #556 by Grzesiek Kolodziejczyk
* Removed surprise search term anchoring in `gem search` to restore 1.8-like
search behavior while still defaulting to --remote. Pull request #562 by
Ben Bleything
* Fixed handling of DESTDIR when building extensions. Pull request #573 by
Akinori MUSHA
* Fixed documentation of `gem pristine` defaults (--all is not a default).
Pull request #577 by Shannon Skipper
* Fixed a windows extension-building test failure. Pull request #575 by
Hiroshi Shirosaki
* Fixed issue with `gem update` where it would attempt to use a Version
instead of a Requirement to find the latest gem. Fixes#570 by Nick Cox.
* RubyGems now ignores an empty but set RUBYGEMS_HOST environment variable.
Based on pull request #558 by Robin Dupret.
* Removed duplicate creation of gem subdirectories in
Gem::DependencyInstaller. Pull Request #456 by Vít Ondruch
* RubyGems now works with Ruby built with `--with-ruby-version=''`. Pull
Request #455 by Vít Ondruch
* Fixed race condition when two threads require the same gem. Ruby bug report
#8374 by Joel VanderWerf
* Cleaned up siteconf between extension build and extension install. Pull
request #587 by Dominic Cleal
* Fix deprecation warnings when converting gemspecs to yaml. Ruby commit
r41148 by Yui Naruse
* Add materialized views
* Make simple views auto-updatable
* Add many features for the JSON data type, including operators and functions to extract elements from JSON values
* Implement SQL-standard LATERAL option for FROM-clause subqueries and function calls
* Allow foreign data wrappers to support writes (inserts/updates/deletes) on foreign tables
* Add a Postgres foreign data wrapper to allow access to other Postgres servers
* Add support for event triggers
* Add optional ability to checksum data pages and report corruption
* Prevent non-key-field row updates from blocking foreign key checks
* Greatly reduce System V shared memory requirements
Changes since 1.7.0
=====================================
* Fixes for CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156
* Reduced entity expansion limits when parsing
Changes since 1.6.1
=====================================
* [SANTUARIO-314] - AES-GCM support
* [SANTUARIO-315] - XML Encryption 1.1 OAEP enhancements
Changes since 1.6.0
=====================================
* [SANTUARIO-268] - TXFMXPathFilter->evaluateExpr crashes on Windows
* [SANTUARIO-270] - DSIGObject::load method crashes for ds:Object without Id attribute
* [SANTUARIO-271] - Bug when signing files with big RSA keys
* [SANTUARIO-272] - Memory bug inside XENCCipherImpl::deSerialise
* [SANTUARIO-274] - Function cleanURIEscapes always throws XSECException, when any escape sequence occurs
* [SANTUARIO-275] - Function isHexDigit doesn't recognize invalid escape sequences.
* [SANTUARIO-276] - Percent-encoded multibyte (UTF-8) sequences unrecognized
* [SANTUARIO-280] - RSA-OAEP handler only allows SHA-1 digests
Changes since 1.5.1
=====================================
* Fix for bug#43964, wrong namespace in encryption DigestMethod (SC)
* Fix for bug#48676, RetrievalMethod handler (SC)
* Fix for bug#45867, support for >1 CRL per KeyInfo (SC)
* Fix for bug#49148, buffer initialization issue (SC)
* Fix for bug#49255, vector index bug (SC)
* Fix for bug#49257, stylesheet append bug (SC)
* Fix for bug#49260, header guard in XPath transform header (SC)
* Fix for bug#49264, string release crash (SC)
* Fix for bug#44983, improper c14n of XSLT (SC)
* Fix for bug#49289, setters for Reference Type/Id (SC)
* Fix for bug#49371, skip comments in X509Certificate elements (SC)
* Fix for bug#49459, more header guards (SC)
* Fix for bug#49660, NSS verification of RSA broken (SC)
* Expose algorithm URI on Signature and Reference objects (SC)
* White/blacklisting of otherwise registered algorithms (SC)
* Add selected XML Signature 1.1 KeyInfo extensions (SC)
* Add elliptic curve keys and signatures via ECDSA (SC)
* Support debugging of Reference/SignedInfo data (SC)
* Clean up tests for SHA2 algorithms in OpenSSL (SC)
* Updated autoconf script, added NSS support, removed pre-automake material (SC)
* Add methods for Reference removal to DSIGSignature/DSIGSignedInfo classes (SC)
Changes between 1.5 and 1.5.1
=====================================
* Fix for bug#47353 in c14n of default namespaces (SC)
* Fix Sparc compilation bug (SC)
* Fix for CVE-2009-0217 (SC)
Changes between version 1.4 and 1.5
=====================================
* Make SHA-1 the implicit default DigestMethod for RSA-OAEP
key transport, allowing for interop until broken impls are fixed (SC)
* Fix memory leak in OpenSSL RSA/DSA key cloning (SC)
* Expose KeyInfo extensions via DOM (SC)
* Fix c14n to omit standard xmlns:xml declarations (SC)
* Add partial support for Inclusive C14N 1.1 with regard to xml:id but not xml:base (SC)
* Finish port to Xerces 3.0 (SC)
* 64-bit API changes (SC)
* Add VC9 build files (SC)
Changes between version 1.3.1 and 1.4
=====================================
* Fix exclusive c14n namespace bug (rev. 526939) (BL)
* Add const specifiers and methods to various classes (SC)
* Add better extraction of openssl build settings using pkg-config (SC)
* Fix XSECnew macro to stop catching arbitrary errors and report
crypto exceptions instead of turning them into allocation errors (SC)
* Add various missing files to dist target (SC)
Changes between version 1.3 and 1.3.1
=====================================
* Refactor NIX build to use automake and libtool
* Initial support for API changes in Xerces 3.0
* Fix bug in autconf that would stop proper detection of Xerces
ability to set Id attributes
* Fix bug 40085 - incorrect OIDs on non SHA1 based RSA signatures.
* Update support for non SHA1 based RSA signatures
* Remove redundant code from SignedInfo that was preventing the
library from loading signatures it did not have an algorithm hard
wired for
* Fix bug in envelope transform when input nodeset is a document
fragment rather than the entire document and the canonicalisation
uses a namespace that was not defined directly in the fragment
* Fix bug in DSIGXPathFilterExpr where m_loaded was not initialised
potentially causing an exception when an XPath expression was loaded
reported by Ralf "Sabo" Saborowski.
Changes between version 1.2.1 and 1.3
=====================================
* Performance improvements in canonicalisation
* Implemented algorithm handlers for the digital signature classes,
to provide algorithm extensibility
* Update signature classes to pass in requested algorithms as URIs
rather than enums. Enum based methods are now deprecated.
* Fix memory leaks in OpenSSL wrapping code
* Provide ability for calling application to define whether
references are interlocking.
* Provide some stability if the Apache keystore is corrupted under Windows.
* Initial import of beta NSS crypto support
* Complete implementation of XKMS message set
* Methods to allow loading of encrypted data without doing decrypt
and to process a decrypt/encrypt operation without replacing the
original nodes
* Provide MS VC++ 2005 project files
* Fix bug when encrypting small input docs
* Implement checks for broken OpenSSL support under Solaris 10
* Add --with-xalan, --with-openssl, --with-xerces and
--enable-warnerror flags in configure
* Configure now detects if Xalan is installed rather than having
XALANCROOT being a pointer to the compile directory
- Reorder hashing in DSIGReference.cpp as per suggestion by Peter Gubis
- Update microsoft project files to reflect new version as per Scott Cantor
- Replace setAttribute with setAttributeNS calls
- Add methods to OpenSSL classes to extract OpenSSL objects
- Fix handling of libcrypto on Solaris platform
- Fix bug in Canoncicalisation courtesy of Scott Cantor
Changes between version 1.2 and 1.2.1
=====================================
* Fixed library versions in Windows builds (were being generated as 1.1)
* Added "No Xalan" builds for xklient under Windows VC6.0
* Added "No Xalan" builds for all projects in VC 7.0
Changes between version 1.1 and 1.2
===================================
* Started a changelog :>
* Remove MFC dependency and clean up memory debugging
* Remove dynamic_casts and RTTI requirement
* Implemented XKMS Message generation and processing
* Implemented command line XKMS tool for generating and dumping XKMS messages
* Support for DESTDIR as provided by ville.skytta@iki.fi in Bugzilla 28520
* Update to Apache licence 2.0.
* Add support for SHA224/256/384/512 (requires OpenSSL 0.9.8 Beta)
* Patch for Mac OS X compile - provided by Scott Cantor - cantor.2@osu.edu - See Bugzilla #34920
* Updates to compile against Xalan 1.9
* Backport to compile with Xerces 2.1
* Fix bug with NULL pointer when validating or signing empty reference lists - fix as suggested by Jesse Pelton <jsp@PKC.com> on 23 March 2005 on security-dev@xml
* Provided support for nominating namespace based Id attributes
* Change to allow apps to calculate and obtain signed info hash - from Eckehard.Hermann@softwareag.com - see email of 2 March 2005 on security-dev@xml
* Patch for long RSA keys provided by Michael Braunoeder - michael@mib.priv.at to security-dev@xml on 16 Nov 2005
* Memory leak in OpenSSLCryptoBase64 reported by Jesse Pelton fixed.
* Move to internal Base64 decoder in a number of methods to handle non-wrapping data
* Resize buffer in OpenSSLCryptoKeyRSA for larger RSA keys - as submitted by Vadim Ismailov <worndown@gmail.com> 3 December 2005
* Remove redundant m_keyType class variable from OpenSSLCryptoKeyRSA as reported by Jesse Pelton (jsp@pkc.com) on security-dev@xml
* Don't throw an exception when an RSA decrypt fails during sig validation - this is a failed validate, not an error
* Shutdown OpenSSL properly - as suggested by Jesse Pelton <jsp@PKC.com> in e-mail to security-dev@xml on 9 March 2005
* Changed scope of WinCapiCryptoKey::importKey() from private to public. It returns key now, instead of void.
* Fix problem in Windows CAPI where XSEC doesn't work if user doesn't have admin rights.
* Bug fix in Windows CAPI code for some W2K machines - reported by Andrzej Matejko 4/5/2004
* Fix build on non WINCAPI systems, as reported by Milan Tomic on 22/4/2004
* New constructor added to WinCapiX509
* Fixed Bug in encode() XSCryptCryptoBase64.
* Fix bug in XPathFilter transform when checking if an attribute is in the input node set.
* Fix bug in in UTF transcoder for counting of transcoded characters (count characters not bytes) reported by Milan Tomic
* Move function definitions in the Windows BinInput stream class to static to avoid conflicts with Xerces. As suggested by Jesse Pelton <jsp@PKC.com> on 2 Feb 2005 in security-dev@xml
* Added complete KeyInfo handling for XENCEncryptedType
* Fix to stop re-use of derived key encrypting key when decrypting multiple elements in a document
* Fix to ignore encryption exceptions during a private key decrypt
* Add code to detect ASN.1 encoded DSA signatures and validate accordingly
