Ubuntu
ruby1.9 package

Please sync ruby1.9 1.9.0.2-7 (main) from Debian unstable (main).

Bug #281456 reported by Jamie Strandboge
4
Affects Status Importance Assigned to Milestone
ruby1.9 (Ubuntu)
Fix Released
High
Unassigned

Bug Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 affects ubuntu/ruby1.9
 status confirmed
 importance wishlist
 subscribe ubuntu-archive

Please sync ruby1.9 1.9.0.2-7 (main) from Debian unstable (main).

Changelog since current intrepid version 1.9.0.2-5:

ruby1.9 (1.9.0.2-7) unstable; urgency=low

  * debian/rules: Fixed a FTBFS on hurd-i386: failure of
    cat /proc/cpuinfo no more stops the build process.
    (Closes: #497737)

 -- Daigo Moriwaki <email address hidden> Fri, 05 Sep 2008 12:07:57 +0900

ruby1.9 (1.9.0.2-6) unstable; urgency=low

  * Added patches under debian/patches which were backported from the
    upstream and fixed multiple vulnerabilities:
    - 301_dns_spoofing_r18424.dpatch: fixed DNS spoofing vulnerability
      in resolv.rb. (CVE-2008-1447)
    - 302_r18220_webrick_DoS.dpatch: fixed DoS vulnerability in WEBrick.
    - 303_r17726_syslog_safeleve4.dpatch: syslog operations should be
      protected from $SAFE level 4.
    - 304_r17577_trace_var_safeleve4.dpatch: rb_f_trace_var should not
      be allowed at safe level 4.
    - 305_r18496_dl_tain.dpatch: dl doesn't check taintness, so it could
      allow attackers to call dangerous functions.
    - 306_r17586_methods_called_safelevel13.dpatch: Insecure methods may
      be called at safe level 1-3.
      (Closes: #494402)
    - 307_r19033_rexml_DoS.dpatch: fixed DoS vulnerability in REXML.
      (CVE-2008-3790) (Closes: #497610)

 -- Daigo Moriwaki <email address hidden> Tue, 02 Sep 2008 22:11:34 -0400

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI78BFW0JvuRdL8BoRAkONAJ4pumTP4hzpSpJSjAC7mECHoVg+0ACfetre
aAdMmM9FghNGxhHBZDQizpw=
=I6nz
-----END PGP SIGNATURE-----

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This update (excepting the hurd FTBFS fix) is a security update and addresses all open CVEs for ruby1.9. See http://www.ubuntu.com/usn/usn-651-1 for a list of vulnerabilities that were fixed in ruby1.8, whcih (almost) all apply to ruby1.9.

Changed in ruby1.9:
importance: Wishlist → High
milestone: none → ubuntu-8.10
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I have built 1.9.0.2-7 on intrepid i386 and amd64, and it builds fine. The build includes a test suite. I also ran 'make check' from the source directory, and it introduced no regressions over the previous version (though it doesn't run too well generally). I also tested this with test-ruby.py from https://launchpad.net/qa-regression-testing and verified that the update fixes the CVEs and introduces no regressions.

Revision history for this message
Jonathan Riddell (jr) wrote :

Getting binaries for intrepid...
[Updating] ruby1.9 (1.9.0.2-5 [Ubuntu] < 1.9.0.2-7 [Debian])
 * Trying to add ruby1.9...
  - <ruby1.9_1.9.0.2-7.dsc: downloading from http://ftp.debian.org/debian/>
  - <ruby1.9_1.9.0.2.orig.tar.gz: already in distro - downloading from librarian>
  - <ruby1.9_1.9.0.2-7.diff.gz: downloading from http://ftp.debian.org/debian/>

Changed in ruby1.9:
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand)
Changed in ruby1.9:
milestone: ubuntu-8.10 → none
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.