Back to ruby2.3 PTS page

Accepted ruby2.3 2.3.3-1+deb9u3 (source) into proposed-updates->stable-new, proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted ruby2.3 2.3.3-1+deb9u3 (source) into proposed-updates->stable-new, proposed-updates
From: santiagorr@riseup.net (Santiago R.R.)
Date: Sat, 09 Mar 2019 18:47:08 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1h2h00-0007vu-8t@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 19 Jul 2018 13:28:10 +0200
Source: ruby2.3
Binary: ruby2.3 libruby2.3 ruby2.3-dev ruby2.3-doc ruby2.3-tcltk
Architecture: source
Version: 2.3.3-1+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Antonio Terceiro <terceiro@debian.org>
Changed-By: Santiago R.R. <santiagorr@riseup.net>
Description:
 libruby2.3 - Libraries necessary to run Ruby 2.3
 ruby2.3    - Interpreter of object-oriented scripting language Ruby
 ruby2.3-dev - Header files for compiling extension modules for the Ruby 2.3
 ruby2.3-doc - Documentation for Ruby 2.3
 ruby2.3-tcltk - Ruby/Tk for Ruby 2.3
Closes: 889117 898694
Changes:
 ruby2.3 (2.3.3-1+deb9u3) stretch-security; urgency=medium
 .
   [ Santiago R.R. ]
   * Fix Command injection vulnerability in Net::FTP.
     [CVE-2017-17405]
   * webrick: use IO.copy_stream for multipart response. Required changes in
     WEBrick to fix CVE-2017-17742 and CVE-2018-8777
   * Fix HTTP response splitting in WEBrick.
     [CVE-2017-17742]
   * Fix Command Injection in Hosts::new() by use of Kernel#open.
     [CVE-2017-17790]
   * Fix Unintentional directory traversal by poisoned NUL byte in Dir
     [CVE-2018-8780]
   * Fix multiple vulnerabilities in RubyGems.
     CVE-2018-1000073: Prevent Path Traversal issue during gem installation.
     CVE-2018-1000074: Fix possible Unsafe Object Deserialization
     Vulnerability in gem owner.
     CVE-2018-1000075: Strictly interpret octal fields in tar headers.
     CVE-2018-1000076: Raise a security error when there are duplicate files
     in a package.
     CVE-2018-1000077: Enforce URL validation on spec homepage attribute.
     CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when
     displayed via gem server.
     CVE-2018-1000079: Prevent path traversal when writing to a symlinked
     basedir outside of the root.
   * Fix directory traversal vulnerability in the Dir.mktmpdir method in the
     tmpdir library
     [CVE-2018-6914]
   * Fix Unintentional socket creation by poisoned NUL byte in UNIXServer and
     UNIXSocket
     [CVE-2018-8779]
   * Fix Buffer under-read in String#unpack
     [CVE-2018-8778]
   * Fix tests to cope with updates in tzdata (Closes: #889117)
   * Exclude Rinda TestRingFinger and TestRingServer test units requiring
     network access (Closes: #898694)
 .
   [ Antonio Terceiro ]
   * debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to
     assumptions that don't hold on newer tzdata update. Upstream bug:
     https://bugs.ruby-lang.org/issues/14655
Checksums-Sha1:
 5afa01b2458ca3ae446afafc81199d74e4d7bede 2503 ruby2.3_2.3.3-1+deb9u3.dsc
 b178b5349ce51fdc6d64f8f09a2e5c8666afbf69 115108 ruby2.3_2.3.3-1+deb9u3.debian.tar.xz
 07c8c87633399d1206a19f7ab886f7daffe7f216 10673 ruby2.3_2.3.3-1+deb9u3_amd64.buildinfo
Checksums-Sha256:
 bb63c143540a31a71a1982219266580434c35e4f09ff5db3bb1cced5cf611e0d 2503 ruby2.3_2.3.3-1+deb9u3.dsc
 076c1973276eb48d0adb655e595dfcce62d0273ebc3beaa2ef6815c862fd2aab 115108 ruby2.3_2.3.3-1+deb9u3.debian.tar.xz
 37a7b6f3e106d6d54fe5649a72b23066a3edd4e6f9a5cabae4467a477b5c9f7a 10673 ruby2.3_2.3.3-1+deb9u3_amd64.buildinfo
Files:
 1d4de9b04ccbcb46357fcdbff8b2b620 2503 ruby optional ruby2.3_2.3.3-1+deb9u3.dsc
 21fc61cef0ddad1b284d011f177b2326 115108 ruby optional ruby2.3_2.3.3-1+deb9u3.debian.tar.xz
 3a4b287deb5600e5ce35827925d87170 10673 ruby optional ruby2.3_2.3.3-1+deb9u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwUqnBPVvaa0NAVzHFX/a4RXx4q0FAltYTTAACgkQFX/a4RXx
4q2owRAAhuXWZ4QoepiexTPQ/I/qNNQRrhS2aL6PexpaHnHJHzAsx8b/Fox8QTYN
5W+tIKnW7oYqWEUikoWy7p8wLto78ltCB1iaQWiXyrS79YWj6xiwl+A0qnadEU3S
4OoYwXwgXxgyTnYGNsLIv/QWF0Hbm3tMmyiv9UzKzbm403foXNheBVbiYT3EgKby
ckxWo8fF3oYsphDg6qUXyGfFC0CToPuHI2LmyZe17L0pp/BIk+nYvAPez11uC1Qq
zfOtCE8unMEx1H7S1t9kol84Em+M935XdqZ9aEO4/YVEsnPY1NbCHo8joyG9w7LL
ScsN7Ts+2MxDDl/9lqT65/E9WfUvt9bWggczl36Edo+oS+zJTxqSUNhgtQRHADG8
VaFpkSbBuoCKqcCUrwGpyNcWT5pbWYNN6q8D01YO1puM8gXm7SIBMGuV/al2TsXv
0r82PXNiSBrqcOzTC8jD0yw8d6w1CW224hrlKyfQubKgZ5NqTwY4Rb9maHnfU+RU
8N78nu+U8ETgPIM74+Hyji7W6PBQYCjTBtCWWA9648PfYTlgGcrQh3gEVlHIASfA
B7PTKe2AFMLWfTIQ4D7WjvfVoNCSnfn2wQfbRILGy36z8B8OoGmwBpWeM0gpxOZU
nMe1DrjBb7UUdFTAdF6wkcqGXYZa2+Y9Gnm4Vd5jiZm6GPojeME=
=OTgZ
-----END PGP SIGNATURE-----