-
ruby2.7 (2.7.4-1ubuntu3.2) impish-security; urgency=medium
* SECURITY UPDATE: Buffer over-read
- debian/patches/CVE-2022-28739.patch: fix dtoa buffer
overrun in missing/dtoa.c, test/ruby/test_float.rb.
- CVE-2022-28739
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 24 May 2022 07:47:45 -0300
-
ruby2.7 (2.7.4-1ubuntu3.1) impish-security; urgency=medium
* SECURITY UPDATE: Buffer overrun
- debian/patches/CVE-2021-41816.patch: fix integer overflow making
sure use of the check in rb_alloc_tmp_buffer2 in
ext/cgi/escape/escape.c.
- CVE-2021-41816
* SECURITY UPDATE: ReDoS vulnerability
- debian/patches/CVE-2021-41817-*.patch: add length limit option
for methods that parses date strings and mimic prev behaviour
in ext/date/date_core.c, test/date/test_date_parse.rb.
- CVE-2021-41817
* SECURITY UPDATE: Mishandles sec prefixes in cookie names
- debian/patches/CVE-2021-41819.patch: when parsing cookies, only
decode the values in lib/cgi/cookie.rb, test/cgi/test_cgi_cookie.rb.
- CVE-2021-41819
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 06 Jan 2022 10:18:08 -0300
-
ruby2.7 (2.7.4-1ubuntu3) impish; urgency=medium
* Build using GCC 10 on ppc64el. See LP #1943823.
-- Matthias Klose <email address hidden> Thu, 16 Sep 2021 12:47:13 +0200
-
ruby2.7 (2.7.4-1ubuntu2) impish; urgency=medium
* No-change rebuild for libffi soname change.
-- Matthias Klose <email address hidden> Fri, 10 Sep 2021 16:59:58 +0200
-
ruby2.7 (2.7.4-1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- LTO appears to cause some issue to SEGV handler. Disable
it for now. See https://bugs.ruby-lang.org/issues/17052.
ruby2.7 (2.7.4-1) unstable; urgency=medium
* New upstream version 2.7.4.
(Fixes: CVE-2021-31799 CVE-2021-31810 CVE-2021-32066)
(Closes: #990815)
-- Utkarsh Gupta <email address hidden> Fri, 09 Jul 2021 17:50:12 +0530
-
ruby2.7 (2.7.3-2ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- LTO appears to cause some issue to SEGV handler. Disable
it for now. See https://bugs.ruby-lang.org/issues/17052.
* Dropped changes:
- debian/patches/CVE-2021-28965.patch: backport fixes from REXML.
[Included in 2.7.3-1]
-- Utkarsh Gupta <email address hidden> Wed, 05 May 2021 18:26:16 +0530
-
ruby2.7 (2.7.2-4ubuntu1.1) hirsute-security; urgency=medium
* SECURITY UPDATE: XML round-trip vulnerability in REXML
- debian/patches/CVE-2021-28965.patch: backport fixes from REXML
3.2.3.1.
- CVE-2021-28965
-- Marc Deslauriers <email address hidden> Thu, 22 Apr 2021 14:27:19 -0400
-
ruby2.7 (2.7.2-4ubuntu1) hirsute; urgency=medium
* LTO appears to cause some issue to SEGV handler. Disable it for now.
See https://bugs.ruby-lang.org/issues/17052
-- Matthias Klose <email address hidden> Tue, 23 Mar 2021 13:50:56 +0100