File ruby2.1.changes of Package ruby2.1.36279
-------------------------------------------------------------------
Tue Oct 29 12:54:44 UTC 2024 - Steven Baker <steven.baker@suse.com>
- Add CVE-2024-47220.patch (CVE-2024-47220) Fix HTTP request
smuggling (boo#1230930)
-------------------------------------------------------------------
Thu Nov 11 09:00:04 UTC 2021 - Ali Abdallah <ali.abdallah@suse.com>
Add patches to fix the following CVE's:
- CVE-2021-32066.patch (CVE-2021-32066): Fix StartTLS stripping
vulnerability in Net:IMAP (bsc#1188160)
- CVE-2021-31810.patch (CVE-2021-31810): Fix trusting FTP PASV
responses vulnerability in Net:FTP (bsc#1188161)
- CVE-2020-25613.patch (CVE-2020-25613): Fix potential HTTP request
smuggling in WEBrick (bsc#1177125)
- CVE-2021-31799.patch (CVE-2021-31799): Fix Command injection
vulnerability in RDoc (bsc#1190375)
-------------------------------------------------------------------
Tue May 26 17:49:31 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- we dropped the reproducible build patch completely as it breaks
the testsuite
-------------------------------------------------------------------
Tue May 26 17:21:55 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- added suse.patch which is a git diff v2_1_9..2.1.9-suse
- included in suse.patch are the following security fixes:
Rubygems was updated to 2.7.10 as part of those.
- VUL-1: CVE-2020-10663: ruby2.1,ruby2.5: Unsafe Object Creation
Vulnerability in JSON (boo#1171517)
- VUL-0: CVE-2019-16201: ruby2.5,ruby,ruby2.1: Regular Expression
Denial of Service vulnerability of WEBrick's Digest access
authentication (boo#1152995)
- VUL-0: CVE-2019-15845: ruby2.5,ruby,ruby2.1: A NUL injection
vulnerability of File.fnmatch and File.fnmatch? (boo#1152994)
- VUL-0: CVE-2019-16254: ruby2.5,ruby,ruby2.1: HTTP response
splitting in WEBrick (Additional fix) (boo#1152992)
- VUL-0: CVE-2019-16255: ruby2.5,ruby,ruby2.1: code injection
vulnerability of Shell#[] and Shell#test (boo#1152990)
- VUL-0: CVE-2019-8320: rubygems,ruby19,ruby2.1: rubygems: Delete
directory using symlink when decompressing tar (boo#1130627)
- VUL-0: CVE-2019-8321: rubygems,ruby19,ruby2.1: rubygems: Escape
sequence injection vulnerability in verbose (boo#1130623)
- VUL-0: CVE-2019-8322: rubygems,ruby19,ruby2.1: rubygems: Escape
sequence injection vulnerability in gem owner (boo#1130622)
- VUL-0: CVE-2019-8323: rubygems,ruby19,ruby2.1: rubygems: Escape
sequence injection vulnerability in API response handling
(boo#1130620)
- VUL-0: CVE-2019-8324: rubygems,ruby2.1: rubygems: Installing a
malicious gem may lead to arbitrary code execution
(boo#1130617)
- VUL-0: CVE-2019-8325: rubygems,ruby,ruby2.1: rubygems: Escape
sequence injection vulnerability in errors (boo#1130611)
- VUL-0: CVE-2018-16396: ruby,ruby2.1: Tainted flags are not
propagated in Array#pack and String#unpack with some directives
(boo#1112532)
- VUL-0: CVE-2018-16395: ruby19,ruby,ruby2.1: OpenSSL::X509::Name
equality check does not work correctly (boo#1112530)
- VUL-1: CVE-2018-6914: ruby19,ruby,ruby2.1: Unintentional file
and directory creation with directory traversal in tempfile and
tmpdir (boo#1087441)
- VUL-1: CVE-2018-8779: ruby19,ruby,ruby2.1: Unintentional socket
creation by poisoned NUL byte in UNIXServer and UNIXSocket
(boo#1087440)
- VUL-1: CVE-2018-8780: ruby19,ruby,ruby2.1: Unintentional
directory traversal by poisoned NUL byte in Dir (boo#1087437)
- VUL-1: CVE-2018-8777: ruby19,ruby,ruby2.1: DoS by large request
in WEBrick (boo#1087436)
- VUL-1: CVE-2017-17742: ruby19,ruby,ruby2.1: HTTP response
splitting in WEBrick (boo#1087434)
- VUL-1: CVE-2018-8778: ruby19,ruby,ruby2.1: Buffer under-read in
String#unpack (boo#1087433)
- VUL-0: CVE-2018-1000079: ruby2.1: Path traversal issue during
gem installation allows to write to arbitrary filesystem
locations (boo#1082058)
- VUL-1: CVE-2018-1000075: ruby,rubygems: Infinite loop
vulnerability due to negative size in tar header causes Denial
of Service (boo#1082014)
- VUL-0: CVE-2018-1000078: ruby,rubygems: XSS vulnerability in
homepage attribute when displayed via gem server (boo#1082011)
- VUL-1: CVE-2018-1000077: ruby,rubygems: Missing URL validation
on spec home attribute allows malicious gem to set an invalid
homepage URL (boo#1082010)
- VUL-1: CVE-2018-1000076: ruby,rubygems: Improper verification
of signatures in tarball allows to install mis-signed gem
(boo#1082009)
- VUL-1: CVE-2018-1000074: ruby,rubygems: Unsafe Object
Deserialization Vulnerability in gem owner allowing arbitrary
code execution on specially crafted YAML (boo#1082008)
- VUL-1: CVE-2018-1000073: ruby,rubygems: Path traversal when
writing to a symlinked basedir outside of the root
(boo#1082007)
- VUL-0: CVE-2017-17790: ruby: Command injection in
lib/resolv.rb:lazy_initialize() allows arbitrary code execution
(boo#1078782)
- VUL-0: CVE-2017-17405: ruby19,ruby,ruby2.1: Command injection
vulnerability in Net::FTP (boo#1073002)
- VUL-0: CVE-2017-9229: ruby19,ruby2.1,ruby,ruby2: oniguruma:
Invalid pointer dereference in left_adjust_char_head()
(boo#1069632)
- VUL-0: CVE-2017-9228: ruby19,ruby2.1: heap out-of-bounds write
occurs in bitset_set_range() during regex compilation
(boo#1069607)
- VUL-0: CVE-2017-0903: rubygems,ruby2.1: Unsafe Object
Deserialization Vulnerability (boo#1062452)
- VUL-0: CVE-2017-14033: ruby19,ruby,ruby2.1: Buffer underrun
vulnerability in OpenSSL ASN1 decode (boo#1058757)
- VUL-0: CVE-2017-0898: ruby19,ruby,ruby2.1: Buffer underrun
vulnerability in Kernel.sprintf (boo#1058755)
- VUL-0: CVE-2017-10784: ruby19,ruby,ruby2.1: Escape sequence
injection vulnerability in the Basic authentication of WEBrick
(boo#1058754)
- VUL-0: CVE-2017-14064: ruby: arbitrary memory exposure during a
JSON.generate call (boo#1056782)
- VUL-0: CVE-2016-7798: ruby,ruby19,ruby2.1: IV Reuse in GCM Mode
(boo#1055265)
- VUL-0: CVE-2015-9096: ruby,ruby19,ruby2.1: Net::SMTP in Ruby
before 2.4.0 is vulnerable to SMTP command injection via
CRLFsequences in a RCPT TO or MAIL FROM command (boo#1043983)
- VUL-0: CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902:
rubygems,ruby19,ruby2.1: multiple vulnerabilities fixed in
2.6.13 (boo#1056286)
- dropped old patches
0001-rubygems-1.5.0-buildroot.patch
0002-ruby-1.9.2p290-tcl-no-stupid-rpaths.patch
0003-gc.c-tick-for-POWER-arch.patch
0004-vm-exec.c-improve-performance-in-ppc64-arch.patch
0005-Manual-cherry-pick-of-423d042.patch
0006-CIDR-in-no_proxy.patch
0007-Fix-segmentation-fault-after-pack-ioctl-unpack.patch
0008-A-Request-Line-must-not-contain-CR-or-LF.patch
0009-manual-backport-for-CVE-2016-2339.patch
0010-rubygems-testsuite-handle-Gem-LoadError.patch
0011-make-gem-build-reproducible.patch
0012-mkmf-verbose-Makefile.patch
0013-fix-exception-on-non-IP-format.patch
- port the default ruby code from newer ruby versions in the spec
file
- fixed the code to disable tests
-------------------------------------------------------------------
Tue Sep 5 14:22:49 CEST 2017 - jdelvare@suse.de
- Add conflicts to libruby to make sure ruby and ruby-stdlib are
also updated when libruby is updated (bsc#1048072.)
-------------------------------------------------------------------
Fri Mar 24 10:59:34 UTC 2017 - mrueckert@suse.de
- added 0013-fix-exception-on-non-IP-format.patch:
fix for boo#1014863#c23
-------------------------------------------------------------------
Thu Mar 16 14:56:28 UTC 2017 - mrueckert@suse.de
- switched to git branch based patching. we replace all patches in
this round:
removed:
- make-gem-build-reproducible.patch
- ruby-1.9.2p290_tcl_no_stupid_rpaths.patch
- ruby-1.9.3-mkmf-verbose.patch
- rubygems-1.5.0_buildroot.patch
- rubygems-testsuite-handle_gem_loaderror.patch
- 0001-gc.c-tick-for-POWER-arch.patch
- 0001-vm_exec.c-improve-performance-in-ppc64-arch.patch
added:
- 0001-rubygems-1.5.0-buildroot.patch
- 0002-ruby-1.9.2p290-tcl-no-stupid-rpaths.patch
- 0003-gc.c-tick-for-POWER-arch.patch
- 0004-vm-exec.c-improve-performance-in-ppc64-arch.patch
- 0010-rubygems-testsuite-handle-Gem-LoadError.patch
- 0011-make-gem-build-reproducible.patch
- 0012-mkmf-verbose-Makefile.patch
- added 0005-Manual-cherry-pick-of-423d042.patch and
0006-CIDR-in-no_proxy.patch:
support wget syntax for no proxy config (boo#1014863)
- added 0007-Fix-segmentation-fault-after-pack-ioctl-unpack.patch
(boo#909695)
- added 0008-A-Request-Line-must-not-contain-CR-or-LF.patch
(boo#986630)
- added 0009-manual-backport-for-CVE-2016-2339.patch
CVE-2016-2339 (boo#1018808)
-------------------------------------------------------------------
Sun Apr 3 21:23:42 UTC 2016 - mrueckert@suse.de
- update to 2.1.9
- test/ruby/test_io.rb: handled rlimit value same as r52277
[Bug #11852][ruby-dev:49446]
- ext/openssl/extconf.rb: check SSL_CTX_set_next_proto_select_cb
function rather than OPENSSL_NPN_NEGOTIATED macro. it exists
even if it is disabled by OpenSSL configuration.
[ruby-core:74384] [Bug #12182]
- ext/openssl/ossl_ssl.c: update #ifdef(s) as above.
- test/openssl/test_ssl.rb: skip NPN tests if NPN is disabled.
- lib/uri/http.rb (URI::HTTP#initialize): [DOC] fix example,
missing mandatory arguments. [ruby-core:74540] [Bug #12215]
- thread_pthread.c (reserve_stack): fix reserving position where
the stack growing bottom to top. [Bug #12118]
- variable.c: Added documentation about order of
`Module#constants`
[ci skip][Bug #12121][ruby-dev:49505][fix GH-1301]
- string.c (enc_succ_alnum_char): try to skip an invalid
character gap between GREEK CAPITAL RHO and SIGMA.
[ruby-core:74478] [Bug #12204]
- enc/trans/JIS: update Unicode's notice. [Bug #11844]
- ext/openssl/ossl_ssl.c (ossl_sslctx_setup): document as
MT-unsafe [ruby-core:73803] [Bug #12069]
- ext/tk/lib/tkextlib/tcllib/tablelist_tile.rb: fix method name
typo. [ruby-core:72513] [Bug #11893]
The patch provided by Akira Matsuda.
- ext/tk/lib/tkextlib/tcllib/toolbar.rb: fix method name typo.
[ruby-core:72511] [Bug #11891]
The patch provided by Akira Matsuda.
- ext/tk/lib/tkextlib/blt/tree.rb: fix method name typo.
[ruby-core:72510] [Bug #11890]
The patch provided by Akira Matsuda.
- ext/tk/lib/tk/menubar.rb: fix a typo in font name.
[ruby-core:72505] [Bug #11886]
The patch provided by Akira Matsuda.
- ext/tk/sample/*.rb: ditto.
- net/ftp.rb: add NullSocket#closed? to fix closing not opened
connection. [Fix GH-1232]
- parse.y (parse_numvar): NTH_REF must be less than a half of
INT_MAX, as it is left-shifted to be ORed with back-ref flag.
[ruby-core:74444] [Bug#12192] [Fix GH-1296]
- marshal.c (r_object0): raise ArgumentError when linking to
undefined object.
- marshal.c (r_object0): Fix Marshal crash for corrupt extended
object.
- cont.c (rb_fiber_struct): keep context.uc_stack.ss_sp and
context.uc_stack.ss_size for later use. Patch by Rei Odaira.
[ruby-core:62945] [Bug #9905]
- test/openssl/utils.rb (start_server, server_loop): Use a pipe
to stop server instead of shutdown/close a listening socket.
- test/ruby/envutil.rb (assert_join_threads): New assertion to
join multiple threads without exceptions.
- ext/openssl/lib/openssl/ssl.rb (SSLServer#accept): Close a
socket if any exception occur.
- ext/openssl/ossl_ssl.c (ossl_ssl_close): Fix sync_close to work
when SSL is not started. This fix the fd leak by
test_https_proxy_authentication in
test/net/http/test_https_proxy.rb.
- test/openssl: Join threads.
- insns.def (opt_mod): show its method name on ZeroDivisionError.
[Bug #12158]
- test/ruby/test_process.rb (TestProcess#test_setsid): AIX does
not allow Process::getsid(pid) when pid is in a different
session.
- test/ruby/test_process.rb (test_execopts_gid): Skip a test that
is known to fail on AIX. AIX allows setgid to a supplementary
group, but Ruby does not allow the "-e" option when setgid'ed,
so the test does not work as intended.
- test/rinda/test_rinda.rb (test_make_socket_ipv4_multicast): The
fifth argument to getsockopt(2) should be modified to indicate
the actual size of the value on return, but not in AIX. This is
a know bug. Skip related tests.
- test/rinda/test_rinda.rb (test_ring_server_ipv4_multicast):
ditto.
- test/rinda/test_rinda.rb (test_make_socket_unicast): ditto.
- test/socket/test_basicsocket.rb (test_getsockopt): ditto.
- test/socket/test_sockopt.rb (test_bool): ditto.
- test/zlib/test_zlib.rb (test_adler32_combine,
test_crc32_combine): Skip two tests on AIX because zconf.h in
zlib does not correctly recognize _LARGE_FILES in AIX. The
problem was already reported to zlib, and skip these tests
until it is fixed.
- test/socket/test_addrinfo.rb (test_ipv6_address_predicates):
IN6_IS_ADDR_V4COMPAT and IN6_IS_ADDR_V4MAPPED are broken on
AIX, so skip related tests.
- test/gdbm/test_gdbm.rb (TestGDBM#test_s_open_lock): skip this
test on AIX. The issue is the same as on Solaris.
[ruby-dev:47631]
- thread_pthread.c (getstack): __pi_stacksize returned by
pthread_getthrds_np() is wrong on AIX. Use __pi_stackend -
__pi_stackaddr instead.
- lib/irb.rb: avoid to needless truncation when using
back_trace_limit option.
[fix GH-1205][ruby-core:72773][Bug #11969]
- enc/windows_1250.c: Should not use C++ style comments (C99
feature). [Bug #11843]
- enc/iso_8859_2.c, enc/windows_1250.c: separate Windows-1250
from ISO-8859-2 to fix 0x80..0x9e range (from Kimihito Matsui)
- enc/windows_1252.c: separate from ISO-8859-1 to fix 0x80..0x9e
range. [ruby-core:64049] [Bug #10097]
- enc/iso_8859_13.c: Added three missing lower/upper-case
character pairs (from Kimihito Matsui)
- enc/iso_8859_4.c: Added missing lower/upper-case character pair
(U+014A and U+014B, LATIN CAPITAL/SMALL LETTER ENG) (from
Kimihito Matsui)
- string.c (rb_str_scrub): the result should be infected by the
original string.
- transcode.c (rb_econv_substr_append, econv_primitive_convert):
the result should be infected by the original string.
- include/ruby/ruby.h: add raw FL macros, which assume always the
argument object is not a special constant.
- internal.h (STR_EMBED_P, STR_SHARED_P): valid only for
T_STRING.
- string.c: deal with taint flags directly across String
instances.
- lib/logger.rb: Remove block from Logger.add as it's not needed
patch provided by Daniel Lobato Garcia
[fix GH-1240] [Bug #12054]
- re.c: Remove deprecated kcode argument from Regexp.new and
compile patch provided by Dylan Pulliam [Bug #11495]
- ext/socket/socket.c (sock_gethostname): support unlimited size
hostname.
- lib/xmlrpc/client.rb: Support SSL options in async methods of
XMLRPC::Client. [Bug #11489]
Reported by Aleksandar Kostadinov. Thanks!!!
- marshal.c (r_object0): honor Marshal.load post proc value for
TYPE_LINK. by Hiroshi Nakamura <nahi@ruby-lang.org>
https://github.com/ruby/ruby/pull/1204 fix GH-1204
- ext/socket/option.c (sockopt_bool): relax boolean size to be
one too not only sizeof(int). Winsock getsockopt() returns a
single byte as a boolean socket option.
[ruby-core:72730] [Bug #11958]
- process.c (rb_execarg_parent_start1): need to convert the
encoding to ospath's one.
- process.c: use rb_w32_uchdir() instead of plain chdir() on
Windows. reported by naruse via twitter.
- process.c (rb_execarg_addopt): need to convert the encoding to
ospath's one.
- ext/stringio/stringio.c (strio_binmode): implement to set
encoding
- test/stringio/test_stringio.rb (test_binmode): new test
[ruby-core:72699] [Bug #11945]
- io.c (io_getpartial): remove unused kwarg from template
- test/ruby/test_io.rb (test_readpartial_bad_args): new
[Bug #11885]
- compile.c, cont.c, doc, man: fix common misspelling.
[ruby-core:72466] [Bug #11870]
- ext/socket/init.c (rsock_init_sock): reject reserved FDs
[ruby-core:72445] [Bug #11862]
- ext/socket/init.c (rsock_init_sock): check FD after validating
- test/socket/test_basicsocket.rb (test_for_fd): new
[ruby-core:72418] [Bug #11854]
- cont.c: fix a double word typo. [Bug #11313][ruby-core:69749]
- ext/tk/lib/multi-tk.rb: fix typos.
[Bug #11764][ruby-core:71800]
- re.c (reg_names_iter): should consider encoding of regexp.
[ruby-core:72185] [Bug #11825]
-------------------------------------------------------------------
Thu Mar 24 11:06:06 UTC 2016 - dvaleev@suse.com
- fate#320684/bsc#973073
0001-gc.c-tick-for-POWER-arch.patch
0001-vm_exec.c-improve-performance-in-ppc64-arch.patch
Preformance improvements of Ruby on POWER platform.
Commit ids are: a5456a1d8308cec5461846418500f77b69a01e4d and
d1075b72c819ee537bde8a302340c4b837402a76
-------------------------------------------------------------------
Mon Jan 4 21:38:49 UTC 2016 - mrueckert@suse.de
- update to 2.1.8 (boo# 959495)
- ext/fiddle/handle.c: check tainted string arguments. Patch
provided by tenderlove and nobu. (CVE-2015-7551)
- test/fiddle/test_handle.rb (class TestHandle): add test for
above.
- ext/dl/handle.c (rb_dlhandle_initialize): prohibits DL::dlopen
with a tainted name of library. Patch by sheepman <sheepman AT
sheepman.sakura.ne.jp>.
- ext/dl/handle.c (rb_dlhandle_sym): ditto
- io.c (parse_mode_enc): fix buffer overflow.
- insns.def (opt_case_dispatch): avoid converting Infinity
- test/ruby/test_optimization.rb (test_opt_case_dispatch_inf):
new [ruby-dev:49423] [Bug #11804]'
- configure.in: pthread_getattr_np is broken on AIX. More
specifically, the stack address and size returned are not
correct.
- insns.def (opt_case_dispatch): check Float#=== redefinition
- test/ruby/test_optimization.rb (test_opt_case_dispatch): new
[ruby-core:71920] [Bug #11784]
- ruby_atomic.h (ATOMIC_SIZE_CAS): fix the argument order of
InterlockedCompareExchange64. new value and then old value is
the last.
- encoding.c (enc_m_loader): defer finding encoding object not to
be infected by marshal source. [ruby-core:71793] [Bug #11760]
- marshal.c (r_object0): enable compatible loader on USERDEF
class. the loader function is called with the class itself,
instead of an allocated object, and the loaded data.
- marshal.c (compat_allocator_table): initialize
compat_allocator_tbl on demand.
- object.c (rb_undefined_alloc): extract from rb_obj_alloc.
- range.c (range_to_s): should be infected by the receiver. str2
infects by appending. [ruby-core:71811] [Bug #11767]
- ext/readline/extconf.rb: call dir_config("libedit") if
--enable-libedit is spcified. [Bug #11751] patched by John Hein
- io.c (rb_io_each_codepoint): raise an exception at incomplete
character before EOF when conversion takes place. [Bug #11444]
- io.c (rb_io_each_codepoint): read more data when read
partially. [ruby-core:70379] [Bug #11444]
- ext/digest/sha1/sha1ossl.c: fixed build error introduced at
r52797.
- insns.def (defined): skip respond_to_missing? when a method is
available. [Bug #11211]
- test/ruby/test_defined.rb: add a test for this fix.
- ext/digest/rmd160/rmd160.c: fixed commit mistake at r52797.
- io.c (argf_getpartial): should not resize str if the second
argument is not given. [ruby-core:71668] [Bug #11738]
- lib/net/http.rb: set hostname before call ossl_ssl_set_session.
[Bug #11401][ruby-core:70152][fix GH-964] Patch by @mkarnebeek
- transcode.c (rb_econv_open0): rb_econv_t::source_encoding_name
and rb_econv_t::destination_encoding_name should refer static
strings always or NULL. [ruby-core:70247] [Bug #11416]
- ext/digest/*/*.[ch]: include ruby.h before digest.h to avoid
includeing ext/digest/extconf.h. [Bug #3231]
https://msdn.microsoft.com/library/36k2cdd4.aspx
- ext/digest/*/extconf.rb: remove ext/digest from include search
path to avoid confusion of cl.exe.
- ext/digest/*/*.[ch]: explicitly specify def.h's path.
- Added missing reference of GitHub
- lib/net/http.rb: Fixed regression for Net::HTTP::PUT with
"Expect-100" header. [fix GH-949]
- test/net/http/test_http.rb: added test.
- ext/date/extconf.rb: try_cflags("-std=iso9899:1999") [Bug
#10906] ruby itself (including numeric.c) is built with strict
compile options including -std=iso9899:1999, but ext/date is
not. By the way -std=iso9899:1999 is not only a warning option
but also changes behavior like MACRO definitions for example
INFINITY. gcc on Solaris affect this.
- ext/openssl/ossl_pkey.c: Merge ruby/openssl@b9ea8ef [Bug
#10735]
- ext/openssl/ossl_ssl.c (ossl_ssl_method_tab): Only add SSLv3
support if the SSL library supports it. Thanks Kurt Roeckx
<kurt@roeckx.be> [Bug #11376]
- ext/openssl/extconf.rb: check for SSLv3 support in the SSL
implementation.
- test/openssl/test_ssl.rb (class OpenSSL): Skip tests that need
SSLv3 if there is no support.
- vm_trace.c (rb_threadptr_exec_event_hooks_orig): maintain
trace_running counter on internal events. This patch is made
by Takashi Kokubun <takashikkbn@gmail.com>. [Bug #11603]
https://github.com/ruby/ruby/pull/1059
- compile.c (iseq_compile_each): remove duplicated line event.
[Bug #10449]
- test/ruby/test_settracefunc.rb: add and fix tests.
- vm.c (hook_before_rewind): prevent kicking :return event while
finishing vm_exec func because invoke_block_from_c() kick a
:return event for bmethods. [Bug #11492]
- test/ruby/test_settracefunc.rb: add a test.
- test/openssl/test_ssl_session.rb: Fix tests so that they take
in to account OpenSSL installations that have SSLv3 disabled by
default. Thanks Jeremy Evans <code@jeremyevans.net> for the
patches. [Bug #11366] [Bug #11367]
- test/openssl/test_ssl_session.rb
(OpenSSL#test_ctx_client_session_cb): fix test failure with
OpenSSL disabled SSLv3 protocol. [ruby-core:63772] [Bug
#10046]
- string.c (sym_to_proc), proc.c (rb_block_clear_env_self): clear
caller's self which is useless, so that it can get collected.
[Fixes GH-592]
- lib/ipaddr.rb, test/test_ipaddr.rb: Reject invalid address
contained EOL string. Patch by @kachick [fix GH-942][Bug
#11513]
- lib/ipaddr.rb, test/test_ipaddr.rb: split test code from
library script and move to test script, just like trunk.
- ext/openssl/ossl_ssl.c (ssl_npn_select_cb): explicitly raise
error in ext/openssl instead of OpenSSL itself because LibreSSL
silently truncate the selected protocol name by casting the
length from int to unsigned char. [Bug #11369] Patch by Jeremy
Evans <merch-redmine@jeremyevans.net>
- configure.in: check for libunwind.h, which is not available in
very old OS X SDK. [ruby-core:71080] [Bug #11591]
- test/drb/test_drb.rb: Run Rinda/DRb tests on localhost. [Fix
GH-1027] patch by voxik.
- test/rinda/test_rinda.rb: ditto
- parse.y (literal_concat_gen, evstr2dstr_gen): keep literal
encoding beginning with an interpolation same as the source
file encoding. [ruby-core:70703] [Bug #11519]
- lib/rss/rss.rb (Time#w3cdtf): fix zero-trimmed width of
fraction digits. [ruby-core:70667] [Bug #11509]
- re.c (rb_memsearch_wchar, rb_memsearch_qchar): test matching
till the end of string. [ruby-core:70592] [Bug #11488]
- test/ruby/test_m17n.rb (test_include?, tet_index): add tests by
Tom Stuart.
- thread_pthread.c (reserve_stack): ensure the memory is really
allocated. [Bug #11457]
-------------------------------------------------------------------
Wed Aug 19 14:49:00 UTC 2015 - mrueckert@suse.de
- update to 2.1.7 (boo# 936032)
- bump version to 2.4.5.1. this version fixed CVE-2015-3900.
- many more fixes please see
/usr/share/doc/packages/ruby2.1/ChangeLog
-------------------------------------------------------------------
Thu Apr 16 23:16:46 UTC 2015 - mrueckert@suse.de
- update to 2.1.6 (bsc# 926974)
- stricter hostname verification following RFC 6125. with the
patch provided by Tony Arcieri and Hiroshi Nakamura
[ruby-core:61545] [Bug #9644] CVE-2015-1855
- upgrade to RubyGems 2.2.3. [Backport #10515]
- lots of documentation updates
- a few crash and parser fixes
For all the changes see /usr/share/doc/packages/ruby2.1/ChangeLog
- drop the SSE2 patches as they are included upstream:
ruby-2.1.3-no_sse2_patch_configure_too.patch
ruby-no_sse2.patch
-------------------------------------------------------------------
Wed Mar 11 20:00:04 UTC 2015 - mrueckert@suse.de
- Remove the support to have the shared files from ruby-common
intree again.
- merged TK conditionals with the 2.2 package
-------------------------------------------------------------------
Wed Feb 11 10:27:07 UTC 2015 - coolo@suse.com
- add make-gem-build-reproducible.patch to make sure the gems created
with gem build don't use the time of the build, but the mtime of
the Gemfile
-------------------------------------------------------------------
Thu Dec 18 17:22:18 UTC 2014 - jmassaguerpla@suse.com
- fix CVE-2014-8090: ruby: Another Denial Of Service XML Expansion
(bnc#905326)
CVE-2014-8090.patch: contains the patch
- fix CVE-2014-8080: ruby: ruby19: Denial Of Service XML Expansion
(bnc#902851)
CVE-2014-8080.patch: contains the patch
- Enable tests to run during the build. This way we can compare
the results on different builds.
-------------------------------------------------------------------
Thu Nov 13 16:26:18 UTC 2014 - mrueckert@suse.de
- explicitely upgrade the libname package so we update libruby when
we upgrade the stdlib or main package
-------------------------------------------------------------------
Thu Nov 13 16:09:51 UTC 2014 - mrueckert@suse.de
- update to 2.1.5: (bsc# 905326)
- This release includes a security fix for DoS vulnerability of
REXML. It is similar to the fixed vulnerability in the previous
release, but new and different from it. (CVE-2014-8090)
add REXML::Document#document.
- bignum.c (absint_numwords_generic): set an array element after
definition of a variable to fix compile error with older
version of fcc (Fujitsu C Compiler) 5.6 on Solaris 10 on Sparc.
[Bug #10350] [ruby-dev:48608]
- compile.c (compile_data_alloc): add padding when strict
alignment is required for memory access. Currently, the padding
is enabled only when the CPU is 32-bit SPARC and the compiler
is GCC. [Bug #9681] [ruby-core:61715]
- compile.c (STRICT_ALIGNMENT): defined if strict alignment is
required
- compile.c (ALIGNMENT_SIZE, ALIGNMENT_SIZE_MASK,
PADDING_SIZE_MAX): new macros for alignemnt word size, bit
mask, max size of padding.
- compile.c (calc_padding): new function to calculate padding
size.
- configure.in (__builtin_setjmp): disable with gcc/clang earlier
than 4.3 on Mac OS X. [ruby-core:65174] [Bug #10272]
- bignum.c (bary_mul_balance_with_mulfunc): Fix free work area
location.
[ruby-dev:48723] [Bug #10464]
[ruby-core:66044] [Bug #10465]
Reported by Kohji Nishihama.
-------------------------------------------------------------------
Tue Oct 28 00:30:05 UTC 2014 - mrueckert@suse.de
- update to 2.1.4:
- Denial of Service XML Expansion CVE-2014-8080 (bsc# 902851)
- keep the entity size within the limitation.
- Changed default settings of ext/openssl related to CVE-2014-3566
- Explicitly whitelist the default SSL/TLS ciphers. Forbid
SSLv2 and SSLv3, disable compression by default.
(bsc# CVE-2014-3566)
- test/ruby/test_time_tz.rb: Fix test error with tzdata-2014g.
[ruby-core:65058] [Bug #10245] Reported by Vit Ondruch.
- vm_method.c (rb_method_entry_make): warn redefinition only for
already defined methods, but not for undefined methods.
[ruby-dev:48691] [Bug #10421]
- vm_method.c (rb_method_entry_make): warn redefinition only for
already defined methods, but not for undefined methods.
[ruby-dev:48691] [Bug #10421]
- class.c (unknown_keyword_error): delete expected keywords
directly from raw table, so that the given block is not called.
[ruby-core:65837] [Bug #10413]
- vm_core.h, vm.c, proc.c: fix GC mark miss on bindings.
[ruby-dev:48616] [Bug #10368]
- test/ruby/test_eval.rb: add a test code.
- parse.y (parser_here_document): do not append already appended
and disposed code fragment. [ruby-dev:48647] [Bug #10392]
- ext/stringio/stringio.c (strio_write): ASCII-8BIT StringIO
should be writable any encoding strings, without conversion.
[ruby-core:65240] [Bug #10285]
- vm_eval.c (eval_string_with_cref): fix super from eval with
scope. set klass in the current control frame to the class of
the receiver in the context to be evaluated, this class/module
must match the actual receiver to call super.
[ruby-core:65122] [Bug #10263]
- lib/find.rb (Find.find): Call to_path for arguments to obtain
strings. [ruby-core:63713] [Bug #10035] Reported by Herwin.
- object.c (rb_class_real): do not dereference 0 VALUE
- test/ruby/test_module.rb (test_inspect_segfault): Test case and
bug report by Thomas Stratmann. [ruby-core:65214] [Bug #10282]
- signal.c (rb_f_kill): get rid of deadlock as unhandled and
discarded signals do not make interrupt_cond signaled. based
on the patch by Kazuki Tsujimoto at [ruby-dev:48606].
[Bug #9820]
- signal.c (rb_f_kill): should not ignore signal unless the
default handler is registered. [ruby-dev:48592] [Bug #9820]
merge r47598 partially. extracted commits are as follows.
[Bug #9728]
https://github.com/k-takata/Onigmo/commit/15ddec6d18e27fdc1988236764e766fd5892ecf5
- lib/fileutils.rb: handle ENOENT error with symlink targeted to
non-exists file. [ruby-dev:45933] [Bug #6716]
- configure.in: NetBSD's ksh, used by configure, needs escapes.
- array.c (ary_recycle_hash): add RB_GC_GUARD (rb_ary_diff):
remove volatile [Bug #10369]
- dir.c (dir_s_aref): fix rdoc. `Dir.glob` allows an array but
`Dir[]` not. the former accepts an optional parameter `flags`,
while the latter accepts arbitrary number of arguments but no
`flags`. [ruby-core:65265] [Bug #10294]
- configure.in: Fix typo. [Bug #9914]
- error.c: update exception tree. [DOC] reported by @hemge via
twitter.
- parse.y (parse_ident): just after a label, new expression
should start, cannot be a modifier. [ruby-core:65211]
[Bug #10279]
- win32/Makefile.sub (VCSUP): nothing to do if this worktree is
not under any VCS (it means that the worktree may be from the
release package).
- test/ruby/test_time_tz.rb: Fix test error with tzdata-2014g.
[ruby-core:65058] [Bug #10245] Reported by Vit Ondruch.
- test/minitest/test_minitest_unit.rb: removed obsoleted
condition for Ruby 1.8.
- test/ruby/test_time_tz.rb: ditto.
-------------------------------------------------------------------
Wed Oct 22 05:01:30 UTC 2014 - coolo@suse.com
- don't add self conflicts for SLE 11
-------------------------------------------------------------------
Wed Oct 15 10:57:27 UTC 2014 - mrueckert@suse.de
- added ruby-2.1.3-no_sse2_patch_configure_too.patch: avoid running
autoreconf
- drop BR on autoconf and libtool again
-------------------------------------------------------------------
Mon Oct 13 16:19:44 UTC 2014 - mrueckert@suse.de
- turn on testsuite by default. we dont hard fail anyway.
-------------------------------------------------------------------
Mon Oct 13 16:16:40 UTC 2014 - mrueckert@suse.de
- added rubygems-testsuite-handle_gem_loaderror.patch
This makes more test cases actually run. (backport from trunk)
- patch taken from fedora rpm: ruby-1.9.3-mkmf-verbose.patch
generate verbose make files by default.
- added testsuite workarounds found in fedora's spec file to ours.
-------------------------------------------------------------------
Mon Oct 13 14:55:14 UTC 2014 - mrueckert@suse.de
- added ruby-no_sse2.patch: (boo# 872908)
Dont enable sse2 just because the compiler supports it. we still
want to support i586. The code was reverted in trunk as well.
- new BR: autoconf and libtool
- converted conditional for running the testsuite to a bcond
- added BR for procps and timezone for the testsuite
- clean up intree certs from the rubygems code base (boo# 900932)
-------------------------------------------------------------------
Wed Oct 8 15:46:22 UTC 2014 - mrueckert@suse.de
- drop the ruby-stdlib provides in the versioned stdlib and add a
conflicts so we can finally upgrade
-------------------------------------------------------------------
Wed Oct 8 15:31:39 UTC 2014 - mrueckert@suse.de
- update to 2.1.3 (bsc# 887877) CVE-2014-4975
This update fixes among other things
- off-by-one stack-based buffer overflow in the encodes()
function
- change of full GC timing to reduce memory consumption (see Bug
#9607)
For all the details see /usr/share/doc/packages/ruby2.1/ChangeLog
- drop drop_content_size_check_in_xmlrpc.patch: included in update
- fixed shebang line fix in %prep
-------------------------------------------------------------------
Wed Sep 24 14:39:25 UTC 2014 - mrueckert@suse.de
- also make the ghost files match what we generate in the rubygem
based packages
-------------------------------------------------------------------
Wed Sep 24 13:47:09 UTC 2014 - mrueckert@suse.de
- also provide the %{_bindir}/$bin%{rb_binary_suffix} symlinks via
u-a to be consistent with what gem based packages do.
-------------------------------------------------------------------
Mon Sep 22 12:28:58 UTC 2014 - mrueckert@suse.de
- conflict with $interpreter(abi) = %api_version to make the
upgrade path easier.
-------------------------------------------------------------------
Mon Sep 22 09:44:38 UTC 2014 - mrueckert@suse.de
- instead of touch for the files in /etc/alternatives. use the
symlink pointing to itself.
-------------------------------------------------------------------
Fri Sep 19 09:49:55 UTC 2014 - mrueckert@suse.de
- conflict with our own ruby abi
-------------------------------------------------------------------
Wed Sep 17 16:44:09 UTC 2014 - mrueckert@suse.de
- only provide the rdoc and ri symlink on newer than sle11
-------------------------------------------------------------------
Mon Sep 15 14:35:03 UTC 2014 - mrueckert@suse.de
- the ruby(abi) = $interpreter:$abiversion was not a good idea. rpm
treats the $interpreter part as epoch. instead we use now:
$interpreter(abi) = $abiversion
For MRI it means we are basically back to ruby(abi).
Examples for alternative ruby interpreters are rubinius(abi) and
jruby(abi) (bnc#896658)
-------------------------------------------------------------------
Wed Sep 3 14:12:54 UTC 2014 - mrueckert@suse.de
- also in the awk generated provides we should add the
intererpreter part to the provides. also remove the old package
name based provides there.
-------------------------------------------------------------------
Wed Sep 3 13:03:04 UTC 2014 - mrueckert@suse.de
- use new ruby abi syntax in the macros
-------------------------------------------------------------------
Wed Sep 3 12:56:35 UTC 2014 - mrueckert@suse.de
- use the new syntax for ruby abi
-------------------------------------------------------------------
Wed Jul 16 17:26:18 UTC 2014 - mrueckert@suse.de
- added ruby2.1.macros:
ruby 2.1 specific macros for the macro based expansion
- added ruby2.1-default.macros:
if ruby 2.1 is default this file will be installed and sets the
rb_default* variables and rb_build_versions accordingly.
- no longer conflict with the other versioned ruby packages
-------------------------------------------------------------------
Tue Jul 15 18:27:51 UTC 2014 - mrueckert@suse.de
- now we can configure the default ruby version in the project
config.
if the package's rb_soname matches the rb_default_ruby_suffix,
the package is default and we create the hardlinks for the
important binaries and the libruby.so symlink.
-------------------------------------------------------------------
Tue Jul 15 14:23:56 UTC 2014 - mrueckert@suse.de
- require ruby-common already in the main package, not every
package we build requires ruby-devel
- update the rubygems provides to the actual version
-------------------------------------------------------------------
Wed Jun 18 21:38:50 UTC 2014 - mrueckert@suse.de
- %ix86 architectures are x86 for rubygems
-------------------------------------------------------------------
Wed Jun 18 18:45:29 UTC 2014 - mrueckert@suse.de
- also package the extensions documentation dir
-------------------------------------------------------------------
Wed Jun 18 15:22:27 UTC 2014 - mrueckert@suse.de
- no longer share the rb_binary_suffix between the library usage
and the binary usage. for the library usage we have now
rb_soname.
- change rb_binary_suffix to .ruby2.1
-------------------------------------------------------------------
Wed Jun 18 13:31:15 UTC 2014 - mrueckert@suse.de
- also provide libruby.so again:
too much broken code relies on the existence of it
-------------------------------------------------------------------
Wed Jun 18 09:20:50 UTC 2014 - mrueckert@suse.de
- also package the extensions dir so we have an owner
-------------------------------------------------------------------
Tue Jun 17 12:41:44 UTC 2014 - mrueckert@suse.de
- no longer provide the ruby macros
-------------------------------------------------------------------
Sun Jun 15 22:23:05 UTC 2014 - mrueckert@suse.de
- remove ruby19-export_init_prelude.patch
-------------------------------------------------------------------
Sun Jun 15 18:27:42 UTC 2014 - mrueckert@suse.de
- dont build ruby-common in here anymore
-------------------------------------------------------------------
Fri May 16 20:21:05 UTC 2014 - kkaempf@suse.com
- Update to 2.1.2
- fix for a regression of Hash#reject in Ruby 2.1.1
- support for build with Readline-6.3 (see Bug #9578)
- updated bundled version of libyaml with psych
- some bug fixes.
-------------------------------------------------------------------
Sun Mar 2 09:07:57 UTC 2014 - kkaempf@suse.com
- make api_version explicit in spec
- adapt versions of embedded gems
-------------------------------------------------------------------
Fri Feb 28 14:14:00 UTC 2014 - adrian@suse.de
- use api version 2.1.0 again to avoid dependency breakages
-------------------------------------------------------------------
Fri Feb 28 09:03:07 UTC 2014 - kkaempf@suse.com
- Update to 2.1.1
Speedup and bugfixes (upstream bug ids):
- rubygems 2.2.2 (#9489)
- fix segfault at unpacking modified String (#9478)
- Struct#send(:setter=, rhs) does not return rhs (#9470)
- Array#uniq behavior change (#9470)
- Timeout behavior change (#9470)
- Hash lookup with #hash and #eql broken (#9470)
- bigdecimal division issue (#9470)
- SizedQueue not working (#9470)
- BidDecimal division (#9316)
- fix 'gem install --ignore-dependencies' for remote gems (#9282)
- Array#to_h should not ignore badly formed elements (#9270)
- Method#arity for keyword arguments (#8072)
-------------------------------------------------------------------
Sat Feb 15 21:05:19 UTC 2014 - kkaempf@suse.com
- add internal.h to ruby-devel-extra
-------------------------------------------------------------------
Mon Feb 10 11:20:16 UTC 2014 - kkaempf@suse.com
- Don't require rpm-with-ruby-provide-hook on SLE11.
It's not a runtime requirement but a build-time requirement for
rubygems in SLE11. Buildservice will take care of that.
-------------------------------------------------------------------
Fri Feb 7 12:05:32 UTC 2014 - coolo@suse.com
- reintroduce update-alternatives for rake, rdoc and ri as those
can come from more uptodate gems
-------------------------------------------------------------------
Sat Feb 1 11:51:30 UTC 2014 - coolo@suse.com
- readd old macros - for now at least
-------------------------------------------------------------------
Fri Jan 31 10:22:24 UTC 2014 - kkaempf@suse.com
- generate provides for embedded rubygems
-------------------------------------------------------------------
Thu Jan 30 14:29:36 UTC 2014 - kkaempf@suse.com
- merged ruby-common
-------------------------------------------------------------------
Sun Jan 19 12:54:46 UTC 2014 - kkaempf@suse.com
- new package split - only single Ruby version installable
ruby - binary
libruby2_1-2_0 - ruby runtime library
ruby-stdlib - ruby standard library
ruby-doc - ruby documentation
ruby-devel - ruby development
-------------------------------------------------------------------
Sun Jan 19 12:53:57 UTC 2014 - kkaempf@suse.com
- revert the ruby split (ruby - ruby21)
rename ruby21 to ruby, integrate 'ruby' and 'ruby-common'
-------------------------------------------------------------------
Thu Jan 9 10:37:57 UTC 2014 - jreidinger@suse.com
- remove part of rubygems1.5 patch that modify mkmf which is
already fixed upstream
-------------------------------------------------------------------
Wed Jan 8 20:03:32 UTC 2014 - kkaempf@suse.com
- fix rb_arch in spec: append -gnu
- fix native gem builds: create gem native extensions dir
-------------------------------------------------------------------
Mon Jan 6 08:31:16 UTC 2014 - coolo@suse.com
- initial version for ruby 2.1.0 - changes to Ruby 2.0:
VM (method cache)
RGenGC (See ko1’s RubyKaigi presentation and RubyConf 2013 presentation)
refinements #8481 #8571
syntax changes
Rational/Complex Literal #8430
def’s return value #3753
Bignum
use GMP #8796
String#scrub #8414
Socket.getifaddrs #8368
RDoc 4.1.0 and RubyGems 2.2.0
“literal”.freeze is now optimized #9042
add Exception#cause #8257
update libraries like BigDecimal, JSON, NKF, Rake, RubyGems, and RDoc
remove curses #8584
- initial patches:
drop_content_size_check_in_xmlrpc.patch
ruby-1.9.2p290_tcl_no_stupid_rpaths.patch
ruby19-export_init_prelude.patch
rubygems-1.5.0_buildroot.patch
