Accepted ruby2.3 2.3.5-1 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 14 Nov 2017 11:06:39 -0200
Source: ruby2.3
Binary: ruby2.3 libruby2.3 ruby2.3-dev ruby2.3-doc ruby2.3-tcltk
Architecture: source
Version: 2.3.5-1
Distribution: unstable
Urgency: medium
Maintainer: Antonio Terceiro <terceiro@debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
libruby2.3 - Libraries necessary to run Ruby 2.3
ruby2.3 - Interpreter of object-oriented scripting language Ruby
ruby2.3-dev - Header files for compiling extension modules for the Ruby 2.3
ruby2.3-doc - Documentation for Ruby 2.3
ruby2.3-tcltk - Ruby/Tk for Ruby 2.3
Closes: 842432 853648 864860 873802 873906 875928 875931 875936 879231
Changes:
ruby2.3 (2.3.5-1) unstable; urgency=medium
.
* New upstream release.
- Includes fix for building with GCC 7 (Closes: #853648)
- Included security fixes
- Buffer underrun vulnerability in OpenSSL ASN1 decode
[CVE-2017-14033] (Closes: #875928)
- Escape sequence injection vulnerability in the Basic authentication of
WEBrick
[CVE-2017-10784] (Closes: #875931)
- Buffer underrun vulnerability in Kernel.sprintf
[CVE-2017-0898] (Closes: #875936)
- Multiple security vulnerabilities in Rubygems (Closes: #873802)
- DNS request hijacking vulnerability. Discovered by Jonathan
Claudius, fix by Samuel Giddins.
[CVE-2017-0902]
- ANSI escape sequence vulnerability. Discovered by Yusuke Endoh,
fix by Evan Phoenix.
[CVE-2017-0899]
- DOS vulernerability in the query command. Discovered by Yusuke
Endoh, fix by Samuel Giddins.
[CVE-2017-0900]
- Vulnerability in the gem installer that allowed a malicious gem to
overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel
Giddins.
[CVE-2017-0901]
- Arbitrary heap exposure problem in the JSON library
[CVE-2017-14064] (Closes: #873906)
- SMTP comment injection
[CVE-2015-9096] (Closes: #864860)
- IV Reuse in GCM Mode in the OpenSSL bindings
[CVE-2016-7798] (Closes: #842432)
* Whitelist classes and symbols that are in Gem spec YAML
[CVE-2017-0903] (Closes: #879231)
Original patch by Aaron Patterson; backported from the standalone Rubygems
package
* Convert packaging from using a plain git history to using gbp-pq, thus
making debian individual patches explicitly present in debian/patches
* Refresh debian/libruby2.3.symbols. There are some removed symbols, but
they are never exposed in a header file so there should be no packages
using them.
Checksums-Sha1:
0a663eef9e8e7887c99be32ffb1d841d9efcad04 2475 ruby2.3_2.3.5-1.dsc
07c5db8a364db80b02a0e2b632bb7c278c84f62e 12916814 ruby2.3_2.3.5.orig.tar.gz
49f717c776700f4e89f7d2eca7270a5e3b1c0986 96268 ruby2.3_2.3.5-1.debian.tar.xz
bfc7dd16726802706ce9454ab72ce5adda45b082 6346 ruby2.3_2.3.5-1_source.buildinfo
Checksums-Sha256:
ee10ece2064e88d914466587b2023f3d3faf30136d7e6c8170cd1952225f8b46 2475 ruby2.3_2.3.5-1.dsc
c11d5f0f866e021cea7e3eaeb2f83525734c2b71d5db283e5ee3d878fb0e16cc 12916814 ruby2.3_2.3.5.orig.tar.gz
5f75c3f3a2dec42b7228715544ec9e4fe2529a215b33689348405f9b40eabdb8 96268 ruby2.3_2.3.5-1.debian.tar.xz
f46d5e90c8b4aee45fc8f32ea6b86b51ed9496b57c96643e2768fa044d285a39 6346 ruby2.3_2.3.5-1_source.buildinfo
Files:
1ad047d2760c26c2d81909c31acbaa67 2475 ruby optional ruby2.3_2.3.5-1.dsc
c06d11091cb8dc594f306909786246a9 12916814 ruby optional ruby2.3_2.3.5.orig.tar.gz
a643704eae7f72c9524a90a0f79b39c0 96268 ruby optional ruby2.3_2.3.5-1.debian.tar.xz
ccbe18fe4782de6640ce328073fc0667 6346 ruby optional ruby2.3_2.3.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAloK7i0ACgkQ/A2xu81G
C979OQ/9HmYzXEzUuL77XvZDpNdKVOYWYhmZX1y9ONresHZfypg3dSt8LGuPRpOc
U0Yz9bZzV2rvHctx+AMV+/x0eCuEprYeKi4aMeO4/iiSkdDCZX9wzaPpWraNgk1C
5QzztkmzoyjNrynHjKCxMGh0MeeeQBTbqmeT2oIMDNLPMeOTCOY0cWTBDA2vla9Z
LS2Q02LrNvqArbozu7fxFdUulJrEdpaZCba6+0Od3cb54/ChHQV5xo8mmjEEtb0x
E7drXreYW2vMdb3Fc34wBk7sosRjDVYsTKFmzp113ik7eSHxrKuWKyxQmKuv5eOm
7gyn3gDqrA4RbNXr0hklbmot4WjFxFkaFt2WaKL26vwIIE42iO1Vqen9HvcyToK5
DCGQU7ZvUIcL8xVsEq5xR4ajlXdaqbEO8SI1wOup6juqtbnqv06jGD1/NR1dttdY
MXfLFlYBVyInkB/7g1SXB6FeveAzK92fvRWV7yrRKC2plxl9WkUNSRcnln635LCh
qhb82nmk15UjzWLbNq+AUbxMGRBNv0qQKkZGmgipltB1HCIxTSqZZqzAu0jG8tYX
C8WKBPZF/lMl5FNIm91AKAZ16bQQS0z7eS2PX/TM9RLC4nHzV+d0qCIDJX8r73EN
V2kHa+3eioQd95PTijQ4zedsyOZoTkCGT0MarHTJKnUjwf2eKEY=
=WGPi
-----END PGP SIGNATURE-----