Changelog for
ruby-test-suite-1.8.7.p357-0.5.1.x86_64.rpm :
Tue Jul 2 14:00:00 2013 jmassaguerplaAATTsuse.com
- fix cve-2013-4073 (bnc#827265)
The fix_cve-2013-4073.patch contains the patch for
cve-2013-4073 (bnc#827265) adapted from
https://github.com/ruby/ruby/commit/2669b84d407ab431e965145c827db66c91158f89
Thu Mar 28 13:00:00 2013 lijewski.stefanAATTgmail.com
- added CVE-2013-1821.patch: (bnc#808137)
Fix entity expansion DoS vulnerability in REXML. When reading
text nodes from an XML document, the REXML parser could be
coerced into allocating extremely large string objects which
could consume all available memory on the system. CVE-2013-1821
(Patch taken from debian (Salvatore Bonaccorso))
Fri Oct 26 14:00:00 2012 mrueckertAATTsuse.de
- added ruby-1.8.7_safe_level_bypass.patch: (bnc#783525)
Fixes a SAFE_LEVEL bypass in name_err_to_s. CVE-2012-4466
Thu Jan 12 13:00:00 2012 mrueckertAATTsuse.de
- update to 1.8.7.p357 (bnc#739122)
- randomize hash to avoid algorithmic complexity attacks.
CVE-2011-4815
- initialization of hash_seed to be at the beginning of the
process.
- initialize random seed at first.
- call OpenSSL::Random.seed at the SecureRandom.random_bytes
call. insert separators for array join. patch by Masahiro
Tomita. [ruby-dev:44270]
- mkconfig.rb: fix for continued lines. based on a patch from
Marcus Rueckert
at [ruby-core:20420].
- Infinity is greater than any bignum number. [ruby-dev:38672]
- initialize store->ex_data.sk. [ruby-core:28907]
[ruby-core:23971] [ruby-core:18121]
Wed Dec 21 13:00:00 2011 mrueckertAATTsuse.de
- update to 1.8.7.p352 (Fate #312657) (bnc#704409)
- support for openssl compiled without SSLv2
- multilib support for tk build
- some IPv6 related fixes
- zlib fixes
- reinitialize PRNG when forking children
(CVE-2011-2686/CVE-2011-3009)
- securerandom fixes (CVE-2011-2705)
- uri route_to fixes
- fix race condition with variables and autoload
- switched rb_arch macro to use RUBY_PLATFORM
- dropped patches:
1887f60a8540f64f5c7bb14d57c0be70506941b8.patch
ruby-1.8.7.p22_tcltk-multilib.patch
ruby-1.8.7-p334.tar.bz2
ruby-1.8.x_bigdecimal_memory_corruption.patch
- new patches
ruby-1.8.x_rubylibdir.patch
Thu May 12 14:00:00 2011 mrueckertAATTsuse.de
- added ruby-1.8.x_bigdecimal_memory_corruption.patch:
dont cast parameter to unsigned int in the alloc and later memset
the original value. (bnc#682287) CVE-2011-0188
Tue Feb 22 13:00:00 2011 mrueckertAATTsuse.de
- update to 1.8.7.p334 (bnc#673740, bnc#673750, bnc#600752)
- A symlink race condition vulnerability was found in
FileUtils.remove_entry_secure. The vulnerability allows local
users to delete arbitrary files and directories. CVE-2011-1004
- Exception#to_s method can be used to trick $SAFE check, which
makes a untrusted codes to modify arbitrary strings.
CVE-2011-1005
- Ruby WEBrick character set issue (XSS) CVE-2010-0541
for all non security changes see
/usr/share/doc/packages/ruby/ChangeLog
- refreshed ruby-1.8.x_openssl_branch_update.patch
- buildrequires openssl to make the last openssl test work
- https://github.com/ruby/ruby/commit/1887f60a8540f64f5c7bb14d57c0be70506941b8.patch
* ext/zlib/zlib.c (zstream_append_input2): add RB_GC_GUARD.
This caused failure when test/csv is executed with GC.stress =
true.
- added ruby-1.8.7.p334_remove_zlib_test_params_test.patch:
remove the test_params patch from backport in r27917
It doesnt pass atm.
- removed ruby-1.8.6.p36_socket_ipv6.patch:
included upstream
Tue Sep 7 14:00:00 2010 mrueckertAATTsuse.de
- the testsuite and doc-html package should of course require the
main package
Fri Jul 2 14:00:00 2010 mrueckertAATTsuse.de
- add ruby(abi) = 1.8 provides
Thu Jul 1 14:00:00 2010 mrueckertAATTsuse.de
- update to 1.8.7.p299 (bnc#606056 and bnc#603914)
- OpenSSL 1.0.0 support
- Use OpenSSL engines which exist
- Fixed range and chunked support for Net::HTTP
- Iconv fixes
- Backported pack/unpack from the 1.9 branch (bnc#606056 bnc#603914)
- Multiple fixes in the resolver
- Fixed Unicode inspection bug.
- Escape characters properly for the accesslog (bnc#570616)
- cleaned up rpmlintrc
- refreshed patches:
old: ruby-1.8.7.p22_lib64.patch
new: ruby-1.8.7.p299_lib64.patch
old: ruby_1.8.6.p36_date_remove_privat.patch
new: ruby-1.8.7.p299_date_remove_privat.patch
old: ruby-pedantic-headers.diff
new: ruby-1.8.7.p299_pedantic-headers.patch
- replaced patches ruby-1.8.x_openssl-1.0.patch and
ruby-1.8.x_openssl-1.0-tests.patch with
ruby-1.8.x_openssl_branch_update.patch
Wed May 19 14:00:00 2010 mrueckertAATTsuse.de
- fix build on ix86:
- -target got removed from the %configure macro. add it back
locally for now.
Thu Apr 22 14:00:00 2010 mrueckertAATTsuse.de
- added ruby-1.8.x_openssl-1.0.patch and
ruby-1.8.x_openssl-1.0-tests.patch:
fix building with openssl 1.0.0 (taken from svn)
- added ruby-1.8.x_yaml2byte.patch:
fix warning about sequence point
- remove requires on glibc-devel again
Sat Mar 13 13:00:00 2010 crrodriguezAATTopensuse.org
- ruby-devel requires glibc-devel
Tue Feb 23 13:00:00 2010 mrueckertAATTsuse.de
- added ruby-1.8.x_digest_non_void_return.patch:
patch pulled from SVN to fix the warnings about no return in
non-void functions.
Sun Jan 31 13:00:00 2010 meissnerAATTsuse.de
- ruby calls \"ppc\" \"powerpc\".
Fri Jan 29 13:00:00 2010 mrueckertAATTsuse.de
- update to 1.8.7p249
small big fix release in the 1.8.7 branch, this includes the fix
for:
- ruby webrick doesn\'t sanitize non-printable characters in log
(bnc#570616) CVE-2009-4492
- drop ruby-1.8.6.p36_gc.patch: solution is upstream
Wed Dec 16 13:00:00 2009 jengelhAATTmedozas.de
- package documentation as noarch
- adjust ruby.macros to ask the ruby binary for the target plaform.
This is because %_host_cpu can expand to sparc64, while ruby is
built for the sparcv9 target, and %_target_cpu can expand to
noarch.
- in ruby.spec, %rb_arch is statically reset to %_target_cpu, as
we need the target name. Since it won\'t be noarch in this case,
that is good.
Thu Aug 20 14:00:00 2009 jansimon.moellerAATTopensuse.org
- remove s/armv5tel/armv4l/ in macros as it breaks build for armv5tel
Fri Nov 21 13:00:00 2008 mrueckertAATTsuse.de
- add ruby-1.8.7-p72_topdir.patch:
Config::TOPDIR was broken on lib64 systems as the code was
assuming $prefix/lib.
Fri Nov 21 13:00:00 2008 mrueckertAATTsuse.de
- added more ruby macros in /etc/rpm/macros.ruby
Sat Sep 6 14:00:00 2008 mrueckertAATTsuse.de
- update to 1.8.7p72
vendor_ruby support now officially included
for all the changes since 1.8.6 see
/usr/share/doc/packages/ruby/NEWS
- dropped ruby-1.8.6_openssl_verify_host.patch
included in update
- updated patch for new release:
old name: ruby-1.8.6.p36_lib64.patch
new name: ruby-1.8.7.p22_lib64.patch
- updated patch for new release:
old name: ruby-1.8.6.p36_tcltk-multilib.patch
new name: ruby-1.8.7.p22_tcltk-multilib.patch
- dropped ruby-1.8.6.p111_vendor_ruby.patch
only one chunk survived as ruby-1.8.7-p72_vendor_specific.patch
Fri May 16 14:00:00 2008 mrueckertAATTsuse.de
- update to 1.8.6.p114
bugfix release
- Fixes File access vulnerability of WEBrick (CVE-2008-1145)
(bnc#368618)
- ensure that the rss module adds the xml namespace
Thu Dec 6 13:00:00 2007 mrueckertAATTsuse.de
- update to 1.8.6.p111
bugfix release. important changes:
- ssl fixes (see notes on the ssl patch below)
- fixes for the threads support
- various overflow checks
- safe_level improvements
- printf fixes
- imap fixes
for all the details see /usr/share/doc/packages/ruby/ChangeLog
- added ruby-1.8.6.p111_openssl_verify_host.patch: (#329706)
validate the hostname against the CN from the presented SSL
certificicate. This has been enabled for telnets, ftptls, imaps
and https. (CVE-2007-5162,CVE-2007-5770)
For telnets and https the verification is done if the verify mode
is set to anything else than OpenSSL::SSL::VERIFY_NONE.
For ftptls it is always enabled.
For imaps it is checked if you enable verification.
- added support to build with bleak_house to allow better memleak
debugging. (requires additional package ruby-bleakhouse)
- updated ruby-1.8.6.p36_vendor_ruby.patch
new name ruby-1.8.6.p111_vendor_ruby.patch
- dropped ruby-1.8.6.p36_thread_prototype_and_testsuite.patch:
included in update
Thu Oct 11 14:00:00 2007 dmuellerAATTsuse.de
- fix headers to be compileable with -pedantic
Sun Aug 12 14:00:00 2007 mrueckertAATTsuse.de
- added ruby_1.8.6.p36_date_remove_privat.patch:
Time.to_date() and Time.to_datetime() shouldnt be private.
Mon Aug 6 14:00:00 2007 mrueckertAATTsuse.de
- added ruby-1.8.6.p36_thread_prototype_and_testsuite.patch:
pulled two fixes from the 1.8.6 branch:
* avoid executing shell in the testsuite
* moved definition of rb_thread_status() to avoid errors in C++
extensions.
Sun Aug 5 14:00:00 2007 mrueckertAATTsuse.de
- update to 1.8.6.p36:
many bugfixes and library updates. hilights:
=== Library updates (outstanding ones only)
* date
* Updated based on date2 4.0.3.
* digest
* New internal APIs for C and Ruby.
* Support for autoloading.
* See below for new features and compatibility issues.
* nkf
* Updated based on nkf as of 2007-01-28.
* tk
* Tk::X_Scrollable (Y_Scrollable) is renamed to Tk::XScrollable
(YScrollable). Tk::X_Scrollable (Y_Scrollable) is still
available, but it is an alias name.
* Updated Tile extension support based on Tile 0.7.8.
* Support --without-X11 configure option for non-X11 versions
of Tcl/Tk (e.g. Tcl/Tk Aqua).
* New sample script: irbtkw.rbw -- IRB on Ruby/Tk. It has no
trouble about STDIN blocking on Windows.
=== New methods and features
* builtin classes
* New method: Kernel#instance_variable_defined?
* New method: Module#class_variable_defined?
* New feature: Dir::glob() can now take an array of glob
patterns.
* digest
* New digest class methods: file
* New digest instance methods: clone, reset, new,
inspect, digest_length (alias size or length),
block_length()
* New library: digest/bubblebabble
* New function: Digest(name)
* fileutils
* New option for FileUtils.cp_r(): :remove_destination
* thread
* Replaced with much faster mutex implementation in C. The
former implementation is available with a configure option
`--disable-fastthread\'.
* webrick
* New method: WEBrick::Cookie.parse_set_cookies()
=== Compatibility issues (excluding feature bug fixes)
* builtin classes
* String#intern now raises SecurityError when $SAFE level is
greater than zero.
* fileutils
* A minor implementation change breaks Rake <=0.7.1.
Updating Rake to 0.7.2 fixes the problem.
* digest
* The constructor does no longer take an initial string to
feed; digest() and hexdigest() now do, instead.
For all details see the NEWS or ChangeLog file.
- rediffed patch ruby-1.8.2-gc.diff
new name ruby-1.8.6.p36_gc.patch
- rediffed patch ruby-1.8.2-tcltk-multilib.patch
new name ruby-1.8.6.p36_tcltk-multilib.patch
- rediffed patch ruby-socket_ipv6.patch
new name ruby-1.8.6.p36_socket_ipv6.patch
- rediffed patch ruby-1.8.5-vendor_ruby.patch
new name ruby-1.8.6.p36_vendor_ruby.patch
- rediffed patch ruby-1.8.5.p12-lib64.diff
new name ruby-1.8.6.p36_lib64.patch
Fri Mar 30 14:00:00 2007 rguentherAATTsuse.de
- add bison BuildRequires
- add emacs site-lisp directories
Fri Mar 23 13:00:00 2007 rguentherAATTsuse.de
- add gdbm-devel BuildRequires
Mon Feb 12 13:00:00 2007 mrueckertAATTsuse.de
- update to 1.8.5-p12:
* stable version 1.8.5-p12 released.
* ext/tk/tcltklib.c: shouldn\'t run the killed thread at callback.
[ruby-talk: 227408]
* lib/rdoc/ri/ri_options.rb: prevent NameError. [ruby-dev:29597]
* dir.c (glob_helper): get rid of possible memory leak.
* win32/win32.c (cmdglob, rb_w32_cmdvector, rb_w32_opendir,
rb_w32_get_environ): not to use GC before initialization.
* configure.in (SITE_DIR): fixed to emtpy RUBY_SITE_LIB in
config.h on NetBSD. fixed: [ruby-dev:29358]
* parse.y (dyna_init_gen): dvar initialization only if dvar is
assigned inner block. [ruby-talk:227402]
* stable version 1.8.5-p2 released.
* lib/cgi.rb (CGI::QueryExtension::read_multipart): should
quote boundary. JVN#84798830 (BNC #225983) (CVE-2006-6303)
* bignum.c (bignorm): avoid segmentation. a patch from Hiroyuki
Ito . [ruby-list:43012]
* parse.y (primary): should set NODE even when compstmt is NULL.
merge from trunk. fixed: [ruby-dev:29732]
* lib/cgi.rb (CGI::QueryExtension::read_multipart): CGI content
may be empty. a patch from Jamis Buck .
* ext/dbm/extconf.rb: create makefile according to the result of
check for dbm header. fixed: [ruby-dev:29445]
* hash.c (rb_hash_s_create): fixed memory leak, based on the
patch by Kent Sibilev .
fixed: [ruby-talk:211233]
- rediffed ruby-1.8.1-lib64.diff
new name ruby-1.8.5.p12-lib64.diff
- patches included in the update:
cgi_multipart_eof_fix.patch
ruby-1.8.4-fix-alias-safe-level.patch
ruby-1.8.4-fix-insecure-dir-operation.patch
ruby-1.8.4-fix-insecure-regexp-modification.patch
ruby-1.8.4-no-eaccess.diff
ruby-1.8.4-warnings.patch
ruby-fix-autoconf-magic-code.patch
- added ruby-1.8.x-autoconf_2.61a.patch:
config.status changed to awk in 2.61a. adapt mkconfig.rb to the
new syntax.
Mon Oct 30 13:00:00 2006 mrueckertAATTsuse.de
- added cgi_multipart_eof_fix.patch:
fix for a denial of service condition in cgi.rb CVE-2006-5467
(#214916)
Fri Oct 20 14:00:00 2006 mrueckertAATTsuse.de
- run ldconfig
- add site_ruby and vendor_ruby arch directories to the filelist
Wed Sep 27 14:00:00 2006 mrueckertAATTsuse.de
- added ruby-1.8.5-vendor_ruby.patch, site-specific.rb, vendor-specific.rb:
add vendor_ruby support. This is a small change for packager.
you can now run \'ruby -rvendor-specific extconf.rb\' (or setup.rb)
and it will be automatically installed in
%{_libdir}/ruby/vendor_ruby.
Sat Aug 26 14:00:00 2006 mrueckertAATTsuse.de
- Update to version 1.8.5:
o Non-blocking IO
| - Several methods backported from HEAD have been added:
| - BasicSocket?#recv_nonblock
| - IO#read_nonblock
| - IO#write_nonblock
| - Socket#accept_nonblock
| - Socket#connect_nonblock
| - Socket#recvfrom_nonblock
| - TCPServer#accept_nonblock
| - UDPSocket#recvfrom_nonblock
| - UNIXServer#accept_nonblock
| (see ruby-core:7917, ruby-core:7925).
|
o Process.getrlimit/setrlimit See ruby-dev:28729.
|
o Changes in rdoc/ri
| - lots of documentation added
| - RubyGems support: ri will search gem installation dirs for
| additional documentation
| - new options to limit the search path
|
o RSS
| - added RSS::RootElementMixin?#to_xml (ruby-talk:197284), which
| can be used to convert feeds to a different RSS version as
| follows:
| [[[
| rss10 = RSS::Parser.parse(File.read(\"1.0.rdf\"))
| File.open(\"2.0.rss\", \"w\") {|f| f.print(rss10.to_xml(\"2.0\"))}
| ]]]
| - Support for taxonomies added to the RSS parser and generator.
| - A number of convenience methods added
| - New style API for RSS generation ruby-talk:197284
| [[[
| The recommended style is nowxxx.new_yyy do |yyy|
| yyy.zzz = zzz
| ...
| end
|
|
| This corresponds to the following in pre-1.8.5:
| yyy = xxx.new_yyy
| yyy.zzz = zzz
| ]]]
o Misc
| - added Kernel.Pathname(path)
| - added Kernel#pretty_inspect
| - changes in the GC subsystem that result in better performance
| in some cases
| - added OptionParser?#getopts
| - the per-object overhead went down to 20 bytes on win32
| (from 24) ruby-core:7474
o What breaks (!!!)
| - Binding.of_caller, and therefore breakpoint (including Rails\')
| - several problems in ri reported: the documentation for some
| methods seems to have disappeared, and several methods that
| should not be documented appear in the indices;
| see ruby-core:08709
- removed patches, which are included in 1.8.5:
ruby-1.8.4-fix-insecure-dir-operation.patch
ruby-1.8.4-fix-insecure-regexp-modification.patch
ruby-1.8.4-fix-alias-safe-level.patch
- updated ruby-1.8.4_linkerflags.patch.
new name ruby-1.8.5_linkerflags.patch
Mon Jul 31 14:00:00 2006 mrueckertAATTsuse.de
- added ruby-fix-autoconf-magic-code.patch:
Fix for the latest changes in the autoconf code.
Mon Jul 31 14:00:00 2006 mrueckertAATTsuse.de
- security fixes [CVE-2006-3694] [#193661]
* added ruby-1.8.4-fix-insecure-dir-operation.patch &
ruby-1.8.4-fix-insecure-regexp-modification.patch:
fix the insecure operations in the certain safe-level
restrictions.
* ruby-1.8.4-fix-alias-safe-level.patch: preserve safe level
restrictions when aliasing a function.