[ubuntu/disco-proposed] ruby2.5 2.5.5-1ubuntu1 (Accepted)

Gianfranco Costamagna locutusofborg at debian.org
Fri Mar 29 07:13:45 UTC 2019 

ruby2.5 (2.5.5-1ubuntu1) disco; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - d/p/rubygems-2388.patch: Allow either Fetcher or OpenSSL exceptions
      when using invalid cert in rubygems testcase.
      - update the patch with the merged upstream PR: 2507
    - various backports for better openssl support (formerly undocumented in
      changelog)
      + d/p/0001-openssl-buffering.rb-no-RS-when-output.patch
      + d/p/0006-Workaround-for-old-LibreSSL.patch
  * Dropped changes: d/p/1dfc377ae3b174b043d3f0ed36de57b0296b34d0.patch
    - upstream

ruby2.5 (2.5.5-1) unstable; urgency=medium

  * New upstream version 2.5.5. Includes a series of bug fixes, most notably
    for 6 security bugs discovered in Rubygems:
    - CVE-2019-8320: Delete directory using symlink when decompressing tar
    - CVE-2019-8321: Escape sequence injection vulnerability in verbose
    - CVE-2019-8322: Escape sequence injection vulnerability in gem owner
    - CVE-2019-8323: Escape sequence injection vulnerability in API response
      handling
    - CVE-2019-8324: Installing a malicious gem may lead to arbitrary code
      execution
    - CVE-2019-8325: Escape sequence injection vulnerability in errors
  * Rebase patches. The following patches were applied upstream and dropped
    from the Debian package:
    - 0011-Update-for-tzdata-2018f.patch
    - 0012-test-update-test-certificate.patch

Date: Thu, 28 Mar 2019 10:47:03 +0100
Changed-By: Gianfranco Costamagna <locutusofborg at debian.org>
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers at lists.alioth.debian.org>
https://launchpad.net/ubuntu/+source/ruby2.5/2.5.5-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 28 Mar 2019 10:47:03 +0100
Source: ruby2.5
Binary: ruby2.5 libruby2.5 ruby2.5-dev ruby2.5-doc
Architecture: source
Version: 2.5.5-1ubuntu1
Distribution: disco
Urgency: medium
Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers at lists.alioth.debian.org>
Changed-By: Gianfranco Costamagna <locutusofborg at debian.org>
Description:
 libruby2.5 - Libraries necessary to run Ruby 2.5
 ruby2.5    - Interpreter of object-oriented scripting language Ruby
 ruby2.5-dev - Header files for compiling extension modules for the Ruby 2.5
 ruby2.5-doc - Documentation for Ruby 2.5
Changes:
 ruby2.5 (2.5.5-1ubuntu1) disco; urgency=low
 .
   * Merge from Debian unstable.  Remaining changes:
     - d/p/rubygems-2388.patch: Allow either Fetcher or OpenSSL exceptions
       when using invalid cert in rubygems testcase.
       - update the patch with the merged upstream PR: 2507
     - various backports for better openssl support (formerly undocumented in
       changelog)
       + d/p/0001-openssl-buffering.rb-no-RS-when-output.patch
       + d/p/0006-Workaround-for-old-LibreSSL.patch
   * Dropped changes: d/p/1dfc377ae3b174b043d3f0ed36de57b0296b34d0.patch
     - upstream
 .
 ruby2.5 (2.5.5-1) unstable; urgency=medium
 .
   * New upstream version 2.5.5. Includes a series of bug fixes, most notably
     for 6 security bugs discovered in Rubygems:
     - CVE-2019-8320: Delete directory using symlink when decompressing tar
     - CVE-2019-8321: Escape sequence injection vulnerability in verbose
     - CVE-2019-8322: Escape sequence injection vulnerability in gem owner
     - CVE-2019-8323: Escape sequence injection vulnerability in API response
       handling
     - CVE-2019-8324: Installing a malicious gem may lead to arbitrary code
       execution
     - CVE-2019-8325: Escape sequence injection vulnerability in errors
   * Rebase patches. The following patches were applied upstream and dropped
     from the Debian package:
     - 0011-Update-for-tzdata-2018f.patch
     - 0012-test-update-test-certificate.patch
Checksums-Sha1:
 07c3160f0acd82a9c85c6f19aae8890649ae36b1 2449 ruby2.5_2.5.5-1ubuntu1.dsc
 c477ffe8f8ed605036df6c8892bd3c800b8e9722 10208264 ruby2.5_2.5.5.orig.tar.xz
 2006571208d65007caa787f03c7d21f1a16ac801 118560 ruby2.5_2.5.5-1ubuntu1.debian.tar.xz
 84819e83bf58cc5a37fcb1f4fde0c3d80c2e7db4 7612 ruby2.5_2.5.5-1ubuntu1_source.buildinfo
Checksums-Sha256:
 9cf3ac18f4ac7ce715f5b951da78d6ca5a3e9bf53ce17471ec5b074813e79ad6 2449 ruby2.5_2.5.5-1ubuntu1.dsc
 a49a222bbeeeb0191ae043a509cd05137869f971a33fef74d3c0aaae95170877 10208264 ruby2.5_2.5.5.orig.tar.xz
 c491b54828f5a097a886b7b1996039761ae3c1ae9730d305ea2117eaf79bb9db 118560 ruby2.5_2.5.5-1ubuntu1.debian.tar.xz
 93e17aab8bc7ba9b814c225c52f54933f7c2ba5482c8fd903820dea2446fa3e0 7612 ruby2.5_2.5.5-1ubuntu1_source.buildinfo
Files:
 5977b7b1d6370ae1a82049ab5cf73dbb 2449 ruby optional ruby2.5_2.5.5-1ubuntu1.dsc
 9a1922884905ac8be7ddf8de1408472d 10208264 ruby optional ruby2.5_2.5.5.orig.tar.xz
 76aa339bd75e531a70e1130eb9acb0f1 118560 ruby optional ruby2.5_2.5.5-1ubuntu1.debian.tar.xz
 e2ba95bc5058d9ffe4eb52148bf6453c 7612 ruby optional ruby2.5_2.5.5-1ubuntu1_source.buildinfo

More information about the Disco-changes mailing list