* Merge from Debian testing (LP: #1131493). Remaining changes:
- debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
* Changes dropped:
- debian/patches/20121016-cve_2012_4522.patch: Debian is carrying a patch
for this issue.
- debian/patches/20121011-cve_2012_4464-cve_2012_4466.patch: Debian is
carrying a patch for this issue, but the patch is incorrectly named
20120927-cve_2011_1005.patch. I'll work with Debian to change the patch
name, but there's no need in carrying a delta because of this. To be
clear, the Ubuntu ruby1.9.1 package is patched for CVE-2012-4464 and
CVE-2012-4466, despite the incorrect patch name.
* debian/patches/CVE-2012-4522.patch: Adjust patch to fix build test error.
Use the version of the fix from upstream's 1.9.3 tree to fix the
NoMethodError for assert_file_not, which doesn't exist in 1.9.3. Adjust
the Origin patch tag accordingly.
ruby1.9.1 (1.9.3.194-7) unstable; urgency=high
* debian/patches/CVE-2013-0269.patch: fix possible denial of service and
unsafe object creation vulnerability in JSON (Closes: #700471)
ruby1.9.1 (1.9.3.194-6) unstable; urgency=high
[Nobuhiro Iwamatsu]
* debian/patches/CVE-2013-0256.patch: fix possible cross site scripting
vulnerability in documentation generated by RDOC (Closes: #699929)
ruby1.9.1 (1.9.3.194-5) unstable; urgency=high
* Disable running the test suite during the build on sparc again. Keeping
urgency=high because the previous release, which contains a security bug
fix, did not reach testing yet because of a segfault when running tests in
the sparc buildd.
ruby1.9.1 (1.9.3.194-4) unstable; urgency=high
[ James Healy ]
* debian/patches/CVE-2012-5371.patch: avoid DOS vulnerability in hash
implementation, this fixes CVE-2012-5371. (Closes: #693024).
ruby1.9.1 (1.9.3.194-3) unstable; urgency=high
* debian/patches/CVE-2012-4522.patch: avoid vulnerability with strings
containing NUL bytes passed to file creation methods. This fixes
CVE-2012-4522 (Closes: #690670).
ruby1.9.1 (1.9.3.194-2) unstable; urgency=low
* debian/patches/20120927-cve_2011_1005.patch: patch sent by upstream;
fixes CVE-2011-1005 which was thought of as not affecting the Ruby 1.9.x
series (Closes: #689075). Thanks to Tyler Hicks <email address hidden>
for reporting the issue.
-- Tyler Hicks <email address hidden> Thu, 21 Feb 2013 17:11:23 -0800
This bug was fixed in the package ruby1.9.1 - 1.9.3.194-7ubuntu1
--------------- 194-7ubuntu1) raring; urgency=low
ruby1.9.1 (1.9.3.
* Merge from Debian testing (LP: #1131493). Remaining changes: patches/ 20120927- rubygems_ disable_ upstream_ certs.patch: Use etc/ssl/ certs/ca- certificates. crt for the trusted CA certificates. patches/ 20121016- cve_2012_ 4522.patch: Debian is carrying a patch patches/ 20121011- cve_2012_ 4464-cve_ 2012_4466. patch: Debian is cve_2011_ 1005.patch. I'll work with Debian to change the patch 2012-4466, despite the incorrect patch name. patches/ CVE-2012- 4522.patch: Adjust patch to fix build test error.
- debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/
/
* Changes dropped:
- debian/
for this issue.
- debian/
carrying a patch for this issue, but the patch is incorrectly named
20120927-
name, but there's no need in carrying a delta because of this. To be
clear, the Ubuntu ruby1.9.1 package is patched for CVE-2012-4464 and
CVE-
* debian/
Use the version of the fix from upstream's 1.9.3 tree to fix the
NoMethodError for assert_file_not, which doesn't exist in 1.9.3. Adjust
the Origin patch tag accordingly.
ruby1.9.1 (1.9.3.194-7) unstable; urgency=high
* debian/ patches/ CVE-2013- 0269.patch: fix possible denial of service and
unsafe object creation vulnerability in JSON (Closes: #700471)
ruby1.9.1 (1.9.3.194-6) unstable; urgency=high
[Nobuhiro Iwamatsu] patches/ CVE-2013- 0256.patch: fix possible cross site scripting
* debian/
vulnerability in documentation generated by RDOC (Closes: #699929)
ruby1.9.1 (1.9.3.194-5) unstable; urgency=high
* Disable running the test suite during the build on sparc again. Keeping
urgency=high because the previous release, which contains a security bug
fix, did not reach testing yet because of a segfault when running tests in
the sparc buildd.
ruby1.9.1 (1.9.3.194-4) unstable; urgency=high
[ James Healy ] patches/ CVE-2012- 5371.patch: avoid DOS vulnerability in hash
* debian/
implementation, this fixes CVE-2012-5371. (Closes: #693024).
ruby1.9.1 (1.9.3.194-3) unstable; urgency=high
* debian/ patches/ CVE-2012- 4522.patch: avoid vulnerability with strings
containing NUL bytes passed to file creation methods. This fixes
CVE-2012-4522 (Closes: #690670).
ruby1.9.1 (1.9.3.194-2) unstable; urgency=low
* debian/ patches/ 20120927- cve_2011_ 1005.patch: patch sent by upstream;
fixes CVE-2011-1005 which was thought of as not affecting the Ruby 1.9.x
series (Closes: #689075). Thanks to Tyler Hicks <email address hidden>
for reporting the issue.
-- Tyler Hicks <email address hidden> Thu, 21 Feb 2013 17:11:23 -0800