[Bug 1131493] Re: Please merge ruby1.9.1 1.9.3.194-7 (main) from Debian testing (main)
Launchpad Bug Tracker
1131493 at bugs.launchpad.net
Fri Feb 22 21:09:13 UTC 2013
This bug was fixed in the package ruby1.9.1 - 1.9.3.194-7ubuntu1
---------------
ruby1.9.1 (1.9.3.194-7ubuntu1) raring; urgency=low
* Merge from Debian testing (LP: #1131493). Remaining changes:
- debian/control: Add ca-certificates to libruby1.9.1 depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
* Changes dropped:
- debian/patches/20121016-cve_2012_4522.patch: Debian is carrying a patch
for this issue.
- debian/patches/20121011-cve_2012_4464-cve_2012_4466.patch: Debian is
carrying a patch for this issue, but the patch is incorrectly named
20120927-cve_2011_1005.patch. I'll work with Debian to change the patch
name, but there's no need in carrying a delta because of this. To be
clear, the Ubuntu ruby1.9.1 package is patched for CVE-2012-4464 and
CVE-2012-4466, despite the incorrect patch name.
* debian/patches/CVE-2012-4522.patch: Adjust patch to fix build test error.
Use the version of the fix from upstream's 1.9.3 tree to fix the
NoMethodError for assert_file_not, which doesn't exist in 1.9.3. Adjust
the Origin patch tag accordingly.
ruby1.9.1 (1.9.3.194-7) unstable; urgency=high
* debian/patches/CVE-2013-0269.patch: fix possible denial of service and
unsafe object creation vulnerability in JSON (Closes: #700471)
ruby1.9.1 (1.9.3.194-6) unstable; urgency=high
[Nobuhiro Iwamatsu]
* debian/patches/CVE-2013-0256.patch: fix possible cross site scripting
vulnerability in documentation generated by RDOC (Closes: #699929)
ruby1.9.1 (1.9.3.194-5) unstable; urgency=high
* Disable running the test suite during the build on sparc again. Keeping
urgency=high because the previous release, which contains a security bug
fix, did not reach testing yet because of a segfault when running tests in
the sparc buildd.
ruby1.9.1 (1.9.3.194-4) unstable; urgency=high
[ James Healy ]
* debian/patches/CVE-2012-5371.patch: avoid DOS vulnerability in hash
implementation, this fixes CVE-2012-5371. (Closes: #693024).
ruby1.9.1 (1.9.3.194-3) unstable; urgency=high
* debian/patches/CVE-2012-4522.patch: avoid vulnerability with strings
containing NUL bytes passed to file creation methods. This fixes
CVE-2012-4522 (Closes: #690670).
ruby1.9.1 (1.9.3.194-2) unstable; urgency=low
* debian/patches/20120927-cve_2011_1005.patch: patch sent by upstream;
fixes CVE-2011-1005 which was thought of as not affecting the Ruby 1.9.x
series (Closes: #689075). Thanks to Tyler Hicks <tyhicks at canonical.com>
for reporting the issue.
-- Tyler Hicks <tyhicks at canonical.com> Thu, 21 Feb 2013 17:11:23 -0800
** Changed in: ruby1.9.1 (Ubuntu)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-1005
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-4464
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-4466
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-5371
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0256
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0269
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1131493
Title:
Please merge ruby1.9.1 1.9.3.194-7 (main) from Debian testing (main)
Status in “ruby1.9.1” package in Ubuntu:
Fix Released
Bug description:
By merging from Debian testing, we can reduce our delta and we also
pick up fixes for a few security issues.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby1.9.1/+bug/1131493/+subscriptions
More information about the Ubuntu-sponsors
mailing list