| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
lang/ruby30-base: security fix
Revisions pulled up:
- lang/ruby/rubyversion.mk 1.234-1.235
- lang/ruby30-base/PLIST 1.3
- lang/ruby30-base/distinfo 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Jul 7 16:10:01 UTC 2021
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby30-base: PLIST distinfo
Log Message:
lang/ruby30-base: update to 3.0.2
Ruby 3.0.2 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
See the commit logs for details:
<https://github.com/ruby/ruby/compare/v3_0_1...v3_0_2>.
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Jul 7 16:11:57 UTC 2021
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
Log Message:
lang/ruby: make sure to update ruby30's version
|
|
lang/ruby27-base: security fix
Revisions pulled up:
- lang/ruby/rubyversion.mk 1.233
- lang/ruby27-base/distinfo 1.5
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Jul 7 15:23:08 UTC 2021
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby27-base: distinfo
Log Message:
lang/ruby27-base: update to 2.7.4
Ruby 2.7.4 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
See the commit logs for details:
<https://github.com/ruby/ruby/compare/v2_7_3...v2_7_4>.
|
|
lang/ruby26: security fix
Revisions pulled up:
- lang/ruby/rubyversion.mk 1.232
- lang/ruby26-base/distinfo 1.11
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Jul 7 15:15:19 UTC 2021
Modified Files:
pkgsrc/lang/ruby: rubyversion.mk
pkgsrc/lang/ruby26-base: distinfo
Log Message:
lang/ruby26-base: update to 2.6.8
Ruby 2.6.8 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
We ordinally do not fix Ruby 2.6 except security fixes, but this
release also includes some regressed bugs and build problem fixes.
See the commit logs for details.
Ruby 2.6 is now under the state of the security maintenance phase,
until the end of March of 2022. After that date, maintenance of Ruby
2.6 will be ended. We recommend you start planning the migration to
newer versions of Ruby, such as 3.0 or 2.7.
|
|
Require proper quote for previous addition to MAKEFLAGS.
|
|
Ruby 3.0.1 Released (2021-04-05)
Ruby 3.0.1 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-28965: XML round-trip vulnerability in REXML
* CVE-2021-28966: Path traversal in Tempfile on Windows
See the commit logs for details.
|
|
Ruby 2.7.3 Released (2021-04-05)
This release includes security fixes. Please check the topics below for
details.
* CVE-2021-28965: XML round-trip vulnerability in REXML
* CVE-2021-28966: Path traversal in Tempfile on Windows
See the commit logs for details.
|
|
Ruby 2.6.7 Released (2021-04-05)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in
WEBrick
* CVE-2021-28965: XML round-trip vulnerability in REXML
See the commit logs for details.
By this release, we end the normal maintenance phase of Ruby 2.6, and Ruby
2.6 enters the security maintenance phase. This means that we will no
longer backport any bug fixes to Ruby 2.6 except security fixes. The term
of the security maintenance phase is scheduled for a year. Ruby 2.6 reaches
EOL and its official support ends by the end of the security maintenance
phase. Therefore, we recommend that you start to plan upgrade to Ruby 2.7
or 3.0.
|
|
Pass RUBY_RAILS_ACCEPTED to MAKEFLAGS unless it isn't empty.
|
|
|
|
* Move PRINT_PLIST_AWK for ${RUBY_SUFFIX} from gem.mk to rubyversion.mk.
It was previously committed in gem.mk.
* Add support ${RUBY_SUFFIX} to online manual.
|
|
|
|
Update versions for Ruby 2.7.2, it should be commited along with update
to Ruby 2.7.2. Noted by Ryo ONODERA.
|
|
Drop support of ruby24 (Ruby 2.4).
|
|
Update ruby24-base (and ruby24) to 2.4.10.
This release includes a security fix. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
Ruby 2.4 is now under the state of the security maintenance phase, until the
end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. Thus, this release would be the last of Ruby 2.4 series. We
recommend you immediately upgrade Ruby to newer versions, such as 2.7 or 2.6
or 2.5.
|
|
Update ruby25-base (and ruby25) to 2.5.8.
2.5.8 (2020-03-31)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
* CVE-2020-10933: Heap exposure vulnerability in the socket library
|
|
Update ruby27-base (and ruby27) to 2.7.1.
2.7.1 (2020-03-31)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
* CVE-2020-10933: Heap exposure vulnerability in the socket library
|
|
Update ruby26-base (and ruby26 related packages) to 2.6.6.
2.6.6 (2020-03-31)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
fix)
* CVE-2020-10933: Heap exposure vulnerability in the socket library
|
|
* Drop support for Ruby 2.2.
* Update document in comment for Ruby 2.7.
|
|
Add support for Ruby 2.7.
|
|
Add RUBY_VERSIONS_INCOMPATIBLE document in comment.
|
|
Change default vesion of Ruby from 2.4.x to 2.6.x.
* Ruby 2.7 will be released within this year.
* Ruby 2.6.x is stable enough and actively maintained.
* Ryby 2.5.x will be in security maintenance phase after
release of Ruby 2.7.
* Ruby 2.4.x will be EOL after 31th March 2020.
|
|
pkglint -Wall -F --only aligned --only indent -r
No manual corrections.
|
|
Replace RUBY_BUILD_RDOC and RUBY_BUILD_RI with RUBY_BUILD_DOCUMENT since
rdoc's --no-rdoc and --no-ri options are deprecated almost 8 years ago
and these options are replaced with -no-document option.
No package should be changed.
|
|
Update ruby26-base and ruby26 packges to 2.6.5
pkgsrc chagnes
* fix warnings of pkglint.
Quote from release announce:
Ruby 2.6.5 (2019-10-01)
This release includes security fixes. Please check the topics below for
details.
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick's Digest access authentication
|
|
Update ruby25-base, ruby25 and ruby25-mode packges to 2.5.7.
pkgsrc chagnes
* fix warnings of pkglint.
Quote from release announce:
Ruby 2.5.7 (2019-10-01)
This release includes security fixes as listed below. Please check the
topics below for details.
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick's Digest access authentication
|
|
Update ruby24-base and related packges to 2.4.9.
pkgsrc chagnes
* fix warnings of pkglint.
Quote from release announce:
Ruby 2.4.8 (2019-10-01)
This release includes security fixes. Please check the topics below for
details.
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick¡Çs Digest access authentication
Ruby 2.4.9 (2019-10-02)
This release is a re-package of 2.4.8 because the previous Ruby 2.4.8
release tarball does not install. (See [Bug #16197] in detail.) There are no
essential change except their version numbers between 2.4.8 and 2.4.9.
Ruby 2.4 is now under the state of the security maintenance phase, until the
end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. We recommend you start planning the migration to newer versions of
Ruby, such as 2.6 or 2.5.
|
|
Update lang/ruby26-base and lang/ruby26 to 2.6.4.
Ruby 2.6.4 (2019-08-28)
Ruby 2.6.4 has been released.
This release includes a security fix of rdoc. Please check the topics below
for details.
* Multiple jQuery vulnerabilities in RDoc
See the commit logs for changes in detail.
|
|
Update ruby25-base/ruby25 to 2.5.6.
Ruby 2.5.6 (2019-08-28)
Ruby 2.5.6 has been released.
This release includes about 40 bug fixes after the previous release, and also includes a security fix. Please check the topics below for details.
* Multiple jQuery vulnerabilities in RDoc
See the commit log for details.
|
|
2.4.7 (2019-08-28)
Ruby 2.4.7 has been released.
This release includes a security fix. Please check the topics below for
details.
* Multiple jQuery vulnerabilities in RDoc
Ruby 2.4 is now under the state of the security maintenance phase, until
the end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. We recommend you start planning the migration to newer versions of
Ruby, such as 2.6 or 2.5.
|
|
Update ruby26{,-base} to 2.6.3. Here is release announce:
Ruby 2.6.3 Released
Posted by naruse on 17 Apr 2019
Ruby 2.6.3 has been released.
This release adds support for New Japanese Era “令和” (Reiwa). It updates
the Unicode version to 12.1 beta (#15195), and updates date library (#15742).
This release also includes some bug fixes. See details commit logs.
|
|
Remove support for ruby23.
|
|
* vulnerabilities of rubygems are already fixed in 2.4.5nb1.
Ruby 2.4.6 Released 1 Apr 2019
Ruby 2.4.6 has been released.
This release includes about 20 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* Multiple vulnerabilities in RubyGems
See the commit log for details.
After this release, we will end the normal maintenance phase of Ruby 2.4, and
start the security maintenance phase of it. This means that after the release
of 2.4.6 we will never backport any bug fixes to 2.4 except security fixes.
The term of the security maintenance phase is scheduled for 1 year. By the
end of this term, official support of Ruby 2.4 will be over. Therefore, we
recommend that you start planning to upgrade to Ruby 2.6 or 2.5.
|
|
Update ruby26{,-base} to 2.6.2.
Quote from release announce.
Ruby 2.6.2 (2019-03-13)
This release includes bug fixes and a security update of the bundled
RubyGems.
See details in Multiple vulnerabilities in RubyGems and the commit logs.
|
|
Update ruby25{,-base} to 2.5.5.
Quote from release announce:
Ruby 2.5.4 (2019-03-13)
This release includes bug fixes and a security update of the bundled
RubyGems. See details in Multiple vulnerabilities in RubyGems and the commit
logs.
Ruby 2.5.5 (2019-03-15)
This release includes a bug fix for the deadlock in the
multi-thread+multi-process (using Process.fork) applications (ex: puma).
|
|
* Add support for Ruby 2.6 with release 2.6.1.
|
|
Remove "22" from RUBY_VERSIONS_ACCEPTED. Now Ruby 2.2 based package would
be lang/ruby22, devel/ruby-redmine and related packages.
|
|
Ruby 2.3.8 Released
Ruby 2.3.8 has been released. This release includes several security
fixes. Please check the topics below for details.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly This release also includes a non-security fix to support
Visual Studio 2014 with Windows 10 October 2018 Update for
maintenance reasons.
Ruby 2.3 is now under the state of the security maintenance phase,
until the end of the March of 2019. After the date, maintenance of
Ruby 2.3 will be ended. We recommend you start planning migration to
newer versions of Ruby, such as 2.5 or 2.4.
|
|
Ruby 2.5.2 Released
Ruby 2.5.2 has been released.
This release includes some bug fixes and some security fixes.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
There are also some bug fixes. See commit logs for more details.
Ruby 2.5.3 Released
Ruby 2.5.3 has been released.
There were some missing files in the release packages of 2.5.2 which are
necessary for building. See details in [Bug #15232].
This release is just for fixing the packaging issue. This release doesn’t
contain any additional bug fixes from 2.5.2.
|
|
Ruby 2.4.5 Released
Ruby 2.4.5 has been released.
This release includes about 40 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
See the commit logs for details.
|
|
Ruby 2.2.10 Released Posted by usa on 28 Mar 2018
Ruby 2.2.10 has been released. This release includes several security
fixes. Please check the topics below for details.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
Ruby 2.2 is under the state of the security maintenance phase, until the end
of the March of 2018. After the date, maintenance of Ruby 2.2 will be ended.
So, this release is expected to be the last release of Ruby 2.2. We will
never make a new release of Ruby 2.2 unless Ruby 2.2.10 has a serious
regression bug. We recommend you migrating to newer versions of Ruby, such as
2.5.
|
|
Ruby 2.3.7 Released Posted by usa on 28 Mar 2018
Ruby 2.3.7 has been released.
This release includes about 70 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
See the ChangeLog for details.
After this release, we will end the normal maintenance phase of Ruby 2.3, and
start the security maintenance phase of it. This means that after the release
of 2.3.7 we will never backport any bug fixes to 2.3 except security fixes.
The term of the security maintenance phase is scheduled for 1 year. By the
end of this term, official support of Ruby 2.3 will be over. Therefore, we
recommend that you start planning to upgrade to Ruby 2.5 or 2.4.
|
|
Ruby 2.5.1 Released Posted by naruse on 28 Mar 2018
Ruby 2.5.1 has been released.
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes. See commit logs for more details.
|
|
Ruby 2.4.4 Released Posted by nagachika on 28 Mar 2018
Ruby 2.4.4 has been released.
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes. See commit logs for more details.
|
|
Switch default version of Ruby to 2.4 from 2.3.
Ruby 2.4 supports OpenSSL 1.1.0 and most stable release currently.
|
|
Remove RUBY_GEMS_VERSION which is referenced by _RUBYGEMS_MAJOR and
_RUBYGEMS_MINOR, unused variables.
|
|
|
|
|
|
Ruby 2.2.9 Released
Posted by usa on 14 Dec 2017
Ruby 2.2.9 has been released. This release includes several security
fixes. Please check the topics below for details.
* CVE-2017-17405: Command injection vulnerability in Net::FTP
* Unsafe Object Deserialization Vulnerability in RubyGems
Ruby 2.2 is now under the state of the security maintenance phase, until the
end of the March of 2018. After the date, maintenance of Ruby 2.2 will be
ended. We recommend you start planning migration to newer versions of Ruby,
such as 2.4 or 2.3.
|
|
Update ruby24-base/ruby24 to 2.4.3.
Ruby 2.4.3 Released
Posted by nagachika on 14 Dec 2017
Ruby 2.4.3 has been released.
This release includes some bug fixes and a security fix.
* CVE-2017-17405: Command injection vulnerability in Net::FTP
There are also som bug fixes. See commit logs for more details.
|
|
Update ruby23-base/ruby23 to 2.3.6.
Ruby 2.3.6 has been released.
This release includes about 10 bug fixes after the previous release,
and also includes several security fixes. Please check the topics
below for details.
* CVE-2017-17405: Command injection vulnerability in Net::FTP
* Unsafe Object Deserialization Vulnerability in RubyGems
See the ChangeLog for details.
|
