Fixes two CVEs:
CVE-2021-28965: XML round-trip vulnerability in REXML
CVE-2021-28966: Path traversal in Tempfile on Windows
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
This release contains intentional incompatibility. Deprecation warnings are
off by default on 2.7.2 and later. You can turn on deprecation warnings by
specifying the -w or -W:deprecated option at the command-line. Please check
the topics below for details.
* Feature #17000 2.7.2 turns off deprecation warnings by default
* Feature #16345 Don’t emit deprecation warnings by default.
This release contains the new version of webrick with a security fix described in the article.
* CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This activates following extensions:
* io/nonblock
* io/wait
* openssl
* pathname
* ipper
* socket
* zlib
zlib and socket are required for gem so they should be just enabled
because otherwise it does not make sense to provide host gem at all.
The rest of extensions are activated to support compass.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
Bug fixes and a security update of the bundled RubyGems:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Fix only release, including:
* CVE-2018-16396: Tainted flags are not propagated in Array#pack
and String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes some bug fixes and a security fix.
CVE-2017-17405: Command injection vulnerability in Net::FTP
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release contains some security fixes.
CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure in generating JSON
Multiple vulnerabilities in RubyGems
Update bundled libyaml to version 0.1.7.
And many other bugfix.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
There might be no ABI breakage when the first two number
of version are the same.
(No change on generated packages. No need to bumb release)
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
As both LEDE and OpenWrt have STAGING_DIR_HOSTPKG now, we can start to rely
on it. See 73b7f55424 for more information on
STAGING_DIR_HOSTPKG.
STAGING_DIR_HOSTPKG won't actually be changed before the first LEDE release
(it is equivalent to $(STAGING_DIR)/host), so this simple search/replace
cleanup is safe to apply. Doing this cleanup now will be useful for the
Gluon project (an OpenWrt/LEDE based firmware framework) for experimenting
with modifying STAGING_DIR_HOSTPKG before doing this in the LEDE upstream.
Also fixes a typo in the dbus Makefile ("STAGIND_DIR").
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This is a stable feature release.
Notable changes:
- Introduce hash table improvement (by Vladimir Makarov)
- Binding#irb: Start a REPL session similar to binding.pry
- Unify Fixnum and Bignum into Integer
- String supports Unicode case mappings
- Performance improvements
- Thread#report_on_exception and Thread.report_on_exception changes
- Thread deadlock detection now shows threads with their backtrace and dependency
- Support OpenSSL 1.1.0 (drop support for 0.9.7 or prior)
- ext/tk is now removed from stdlib Feature #8539
- XMLRPC is now removed from stdlib Feature #12160
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release contains a bug fix about Refinements and Module#prepend.
The mixture use of Module#refine and Module#prepend to the same Class
could cause unexpected NoMethodError. This is a regression on Ruby 2.3.2
released last week. See [Bug #12920] for details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release contains update of RubyGems 2.5.2 and update of included ssl certificates.
There are many bugfixes too. See the http://svn.ruby-lang.org/repos/ruby/tags/v2_3_2/ChangeLog
for details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
New feature release for ruby.More info:
https://www.ruby-lang.org/en/news/2015/12/25/ruby-2-3-0-released/
Patches changes:
(-) 001-rdoc-remove_gems_dep.patch was merged
(+) 001-acinclude.m4_rename_aclocal.m4.patch backported from upstream.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
ruby subpackages now are generated by a macro. This reduces the
Makefile size by half and the chance of errors.
No change in packages contents, install-size or dependencies, except
for some removed doc files.
Improved ruby_missingfiles and ruby_find_pkgsdeps script
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes a security fix for Fiddle extension.
* CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL
There are also some bugfixes.
In package, now LD_FLAGS is copied to DLD_FLAGS (used by ruby for libraries).
The missing values from LD_FLAGS cause build error when gcc does not implicitly
include staging/usr/lib.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This is a bug and security fix release, including:
- CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier
http://svn.ruby-lang.org/repos/ruby/tags/v2_2_3/ChangeLog
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
libyaml is an optional dep for ruby psych. When missing, it uses
a bundled version of yaml. However, when libyaml is present in
openwrt build, ruby-psych packaging failed with deps not declared.
Now libyaml is configured as a hard dep for ruby-psych.
Also, the tk module was disabled in order to avoid a possible similar
problem if tk+x11 is provided in openwrt build. It was currently not
build because of missing deps.
Other minor changes:
- win32* modules where disabled (avoid err msg, no compile changes)
- Some files where removed in 2.2.x (like gserver.rb). They were already
not packaged but generates a build warning message. Now removed from install.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This is a small ruby release, mainly to fix
CVE-2015-1855: Ruby OpenSSL Hostname Verification
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
For ruby changes since 2.1.x:
https://github.com/ruby/ruby/blob/v2_2_0/NEWS
Relevant changes for OpenWRT:
* all patches for ruby-core where merged upstream and
they are not needed anymore (only rdoc patch remains)
- PR for the rdoc github project was added to the patch header
(https://github.com/rdoc/rdoc/pull/340)
* new package ruby-powerassert for introduced new bundled gem power_assert
* new package ruby-unicodenormalize for Unicode normalization files
* removed ruby-dl as DL was removed after being deprecated
* ruby-{minitest,testunit} where removed from ruby library. Now they
are bundled gems
* test and sample files where removed from gems in order to save resources
and reduce pkgs dependencies
* script ruby_find_pkgsdeps was updated to match upstream changes
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Ruby 2.1.5 has been released.
This release includes a security fix for a DoS vulnerability of REXML.
It is similar to the fixed vulnerability in the previous release, but
new and different from it.
CVE-2014-8090: Another Denial of Service XML Expansion
And, some bug fixes are also included. See tickets and ChangeLog for details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes security fixes for the following vulnerabilities:
* CVE-2014-8080: Denial of Service XML Expansion
* Changed default settings of ext/openssl related to CVE-2014-3566
And there are some bug-fixes.
Ref: https://www.ruby-lang.org/en/news/2014/10/27/ruby-2-1-4-released/
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
ruby-core is problematic as it is too big.
It is impossible to fix pkgs dependencies as
ruby-core would generate multiple cycled dependencies
between packages.
Also, "core" in ruby context means "classes that does not need a 'require'".
This is not the case of ruby-core classes. They are, actually, a subset of
Ruby Standard Library.
In every detected case where a portion of ruby-core could be isolated and
save another pkgs from requiring all ruby-core where spin-off into a new
subset. Also, big portions of ruby-core, not require by current ruby-* pkgs
where spin-off in new pkgs. The remaining of ruby-core was put into a new ruby-misc.
ruby-stdlib was created as a meta package that requires all ruby packages that are
part of Ruby Standard Library. For a full Ruby Standard Library, just install
ruby-stdlib and its deps.
Created pkgs from ruby-stdlib:
- ruby-misc
- ruby-csv
- ruby-datetime
- ruby-dbm
- ruby-debuglib
- ruby-drb
- ruby-fiddle
- ruby-filelib
- ruby-logger
- ruby-math
- ruby-multithread
- ruby-mkmf
- ruby-net
- ruby-optparse
- ruby-patterns
- ruby-prettyprint
- ruby-pstore
- ruby-racc
- ruby-rbconfig
- ruby-rinda
- ruby-ripper
- ruby-sdbm
- ruby-shell
- ruby-socket
- ruby-uri
Some files from ruby-openssl where moved to new subpkgs (as ruby-net and ruby-drb).
All dependencies where redefined based on auxiliar script ruby_find_pkgsdeps
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Some files that belong to other subpkgs where still in
ruby-core. Just moved them to the correct place.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Ruby encoding library was too big and bring unecessary encodings for a simple ruby usage.
All not directly required encodings from stdlib where moved to ruby-enc-extra.
Created pkg from ruby-enc
- ruby-enc-extra (from ruby-enc)
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
ruby_find_pkgsdeps: look for file dependencies (checks
require and Encoding references) and extrapolate it to pkgs
deps. Also checks whether a dep is redundant or missing in pkgs.
Must run inside an OpenWRT with all ruby* pkgs installed.
ruby_missingfiles: list files in staging/target and from files
comparing side by side its contents. It helps to easly visualize
which file is not packaged in an ipk.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Digest can use OpenSSL or ruby internal implementation of hash functions. The first
uses less disk space but requires openssl, that is relatively big. As internal hash
implementations are not too much bigger than openssl version, it is compiled by
default. A new config option can change it to use OpenSSL instead.
As digest is independent from openssl, ruby-digest was created as a new pkgs.
Adds pkgs:
- ruby-digest (from ruby-openssl)
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Some ruby gems where still in ruby-core pkg. These files where
moved outside ruby-core into ruby-gems or their own subpkg.
ruby-unit renamed to ruby-testunit as its gem is named test-unit.
ruby-rdoc left a file in ruby-core.
Psych is a gem and deserves its own subpkg. It replaces syck
(used by yaml) on recent ruby version (ref:
https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/36786)
Also, some psych files where packed incorrecly into ruby-json. The asterisk
in */json was intend to match <arch>/json/ and not psych/json.
Files where derived
from ruby-core and a lost file in ruby-json.
New subpkgs:
- ruby-bigdecimal
- ruby-io-console
- ruby-minitest
- ruby-psych
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
ext/digest/rmd160 was referencing a function that never existed in openssl.
The name was simply mistyped. Now it can use openssl.
openssl was always linked to ext/digest when library is avaiable,
even when it was disable by configure option and not used by code.
upstream refs: https://bugs.ruby-lang.org/issues/10252
upstream refs: https://bugs.ruby-lang.org/issues/10324
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>