File ruby2.5.changes of Package ruby2.5.SUSE_SLE-15_Update

Overview Repositories Revisions Requests Users Attributes Meta

File ruby2.5.changes of Package ruby2.5.SUSE_SLE-15_Update

-------------------------------------------------------------------
Fri Oct 18 13:50:56 UTC 2024 - Steven Baker <steven.baker@suse.com>

- backport REXML from 3.3
  - fix denial of service when parsing a XML that has many deep
    elements with the same local name attributes
    (boo#1229673 CVE-2024-43398)
  - fix denial of service when parsing an XML that contains many
    specific characters such as whitespaces, >] and ]>
    (boo#1228794 CVE-2024-41123)
  - fix denial of service when parsing an XML that has many entity
    expansions with SAX2 or pull parser API
    (boo#1228799 CVE-2024-41946)
  - fix denial of service when parsing an XML that has many left
    angled brackets in an attribute value
    (boo#1224390 CVE-2024-35176)
  - fix ReDoS when parsing an XML that has many specific characters
    (boo#1228072 CVE-2024-39908)

-------------------------------------------------------------------
Fri Oct 20 01:04:41 UTC 2023 - Marcus Rückert <mrueckert@suse.de>

- update suse.patch to 531fb8b2cc
  - fix quadratic behavior in the uri parser (boo#1209891
    CVE-2023-28755)
  - fix expensive regexp in the RFC2822 time parser (boo#1209967
    CVE-2023-28756)
  - backport date 2.0.3 (boo#1193035 CVE-2021-41817)
  - merge CGI 0.1.0.2: (boo#1205726 CVE-2021-33621)
    - When parsing cookies, only decode the values
    -  HTTP response splitting in CGI

-------------------------------------------------------------------
Mon Sep  5 23:14:47 UTC 2022 - Marcus Rückert <mrueckert@suse.de>

- Update suse.patch to 41adc98ad1:
  - Cookie Prefix Spoofing in CGI::Cookie.parse (boo#1193081 CVE-2021-41819)
- add back some lost chunks to the suse.patch

-------------------------------------------------------------------
Wed Apr 20 13:43:45 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>

- Update suse.patch:
  - backport fix for CVE-2022-28739: ruby: Buffer overrun in
    String-to-Float conversion (boo#1198441)
  - back port date 2.0.3 CVE-2021-41817 (boo#1193035)
  - merge the previous bug fixes into suse.patch
    - CVE-2021-32066.patch
    - CVE-2021-31810.patch
    - CVE-2021-31799.patch

-------------------------------------------------------------------
Wed Apr 20 13:43:00 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>

- Add Requires to make and gcc to ruby-devel to make the default
  extconf.rb work

-------------------------------------------------------------------
Thu Nov 11 09:06:15 UTC 2021 - Ali Abdallah <ali.abdallah@suse.com>

Add patches to fix the following CVE's:

- CVE-2021-32066.patch (CVE-2021-32066): Fix StartTLS stripping
    vulnerability in Net:IMAP (bsc#1188160)
  - CVE-2021-31810.patch (CVE-2021-31810): Fix trusting FTP PASV
    responses vulnerability in  Net:FTP (bsc#1188161)
  - CVE-2021-31799.patch (CVE-2021-31799): Fix Command injection
    vulnerability in RDoc (bsc#1190375)

-------------------------------------------------------------------
Tue Apr 13 11:50:10 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>

- Update to 2.5.9 (boo#1184644) 
  https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-5-9-released/
  - CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability
    in WEBrick
  - CVE-2021-28965: XML round-trip vulnerability in REXML

Complete list of changes at
  https://github.com/ruby/ruby/compare/v2_5_8...v2_5_9
- Update suse.patch:
  Remove fix for CVE-2020-25613 as it is included in the update

-------------------------------------------------------------------
Mon Mar 15 13:30:37 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>

- Update suse.patch: (boo#1177125)
  Backport fix CVE-2020-25613: Potential HTTP Request Smuggling
  Vulnerability in WEBrick

-------------------------------------------------------------------
Fri Oct 16 12:07:56 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>

- replace all patches with suse.patch (v2_5_8..2.5-suse) 
  (we keep remove-unneeded-files.patch as it can not be done in our
  backports branch)
- backport patch to enable optimizations also on ARM64
  (boo#1177222)

-------------------------------------------------------------------
Tue Apr 28 17:54:54 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>

- make sure that update-alternative weight for the default
  distribution is always greater than our normal weight

-------------------------------------------------------------------
Tue Apr 28 17:24:49 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>

- make the update-alternative weight based on the ruby version

-------------------------------------------------------------------
Tue Apr  7 23:03:15 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>

- Update to 2.5.8 (boo#1167244 boo#1168938)
  - CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON
    (Additional fix)
  - CVE-2020-10933: Heap exposure vulnerability in the socket
    library

https://github.com/ruby/ruby/compare/v2_5_7...v2_5_8
- drop CVE-2020-8130.patch and rake-12.3.0.gem: included upstream

-------------------------------------------------------------------
Fri Mar  6 14:40:34 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>

- Fix CVE-2020-8130 (boo# 1164804) for the intree copy of rake:
  - add CVE-2020-8130.patch and rake-12.3.0.gem

-------------------------------------------------------------------
Thu Feb  6 12:35:53 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>

- remove test files which are not needed at runtime (boo#1162396)
  - adds remove-unneeded-files.patch and did_you_mean-1.2.0.gem

-------------------------------------------------------------------
Tue Oct  8 09:40:27 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>

- update to 2.5.7
  - https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/
    - CVE-2019-16255: A code injection vulnerability of Shell#[]
      and Shell#test (boo#1152990)
    - CVE-2019-16254: HTTP response splitting in WEBrick
      (Additional fix) (boo#1152992)
    - CVE-2019-15845: A NUL injection vulnerability of File.fnmatch
      and File.fnmatch? (boo#1152994)
    - CVE-2019-16201: Regular Expression Denial of Service
      vulnerability of WEBrick’s Digest access authentication
      (boo#1152995)
  - https://www.ruby-lang.org/en/news/2019/08/28/ruby-2-5-6-released/
    - Multiple jQuery vulnerabilities in RDoc (CVE-2012-6708
      CVE-2015-9251)

-------------------------------------------------------------------
Tue Jul  9 14:16:36 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>

- fix running tests (boo#1140844)
  just passing the DISABLED_TESTS variable is wrong. probably a
  relict from calling the test scripts directly. use TESTOPTS now.

-------------------------------------------------------------------
Thu Jun 13 17:52:21 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>

- refreshed patches with new patch series:
  0001-make-gem-build-reproducible.patch
  0002-gc.c-tick-for-POWER-arch.patch
  0003-Mark-Gemspec-reproducible-change-fixing-784225-too.patch
  0004-Make-gemspecs-reproducible.patch
- rename patch now that it is generated from git:
  old: 450160263aed8c446ce5b142d71f921ab4118f3a.patch
  new: 0005-Include-the-alternative-malloc-header-instead-of-mal.patch
  old: use-pie.patch
  new: 0006-Use-PIE-for-the-binaries.patch
- ruby: change over of the Japanese Era to the new emperor May
  1st 2019 (boo#1133790)
  0007-date-support-for-Reiwa-new-Japanese-era.patch

-------------------------------------------------------------------
Wed Mar 27 17:14:26 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>

- for some reason the --enable-pie option does not work as
  expected. Fix this for now with a patch that just injects the
  -pie flag in the Makefile (adds use-pie.patch) (boo#1130028)

-------------------------------------------------------------------
Fri Mar 15 15:32:02 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>

- update to 2.5.5
  https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/
  - CVE-2019-8320: Delete directory using symlink when
    decompressing tar (boo#1130627)
  - CVE-2019-8321: Escape sequence injection vulnerability in
    verbose  (boo#1130623)
  - CVE-2019-8322: Escape sequence injection vulnerability in gem
    owner  (boo#1130622)
  - CVE-2019-8323: Escape sequence injection vulnerability in API
    response handling  (boo#1130620)
  - CVE-2019-8324: Installing a malicious gem may lead to arbitrary
    code execution  (boo#1130617)
  - CVE-2019-8325: Escape sequence injection vulnerability in
    errors  (boo#1130611)
  https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/

-------------------------------------------------------------------
Thu Feb  7 23:49:28 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>

- replace the awk based provides generation with the new file-attr
  handler in ruby-bundled-gems-rpmhelper

This kills one provides rubygem-name = version

But this should not have be used since a while anymore.

- add option to build without docs for testing
- provide support to undo the split of the stdlib:
  pass --without=separate_stdlib to "osc build"

-------------------------------------------------------------------
Fri Nov 23 09:13:31 UTC 2018 - Martin Liška <mliska@suse.cz>

- Use parallel make.

-------------------------------------------------------------------
Thu Nov 22 13:15:47 UTC 2018 - Martin Liška <mliska@suse.cz>

- Disable compressed sections as they are not supported by rpm
  (https://bugs.ruby-lang.org/issues/12934).

-------------------------------------------------------------------
Wed Nov  7 13:20:47 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>

- update to 2.5.3
  This release includes some bug fixes and some security fixes.

- CVE-2018-16396: Tainted flags are not propagated in Array#pack
    and String#unpack with some directives (boo#1112532)
  - CVE-2018-16395: OpenSSL::X509::Name equality check does not
    work correctly (boo#1112530)

https://github.com/ruby/ruby/compare/v2_5_1...v2_5_3
- drop frozen-pop3.patch

-------------------------------------------------------------------
Tue Oct 16 21:50:33 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>

- backport 450160263aed8c446ce5b142d71f921ab4118f3a.patch:
  Include the alternative malloc header instead of malloc.h

-------------------------------------------------------------------
Tue Aug 28 00:29:19 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>

- update to 2.5.1
  This release includes some bug fixes and some security fixes.

- CVE-2017-17742: HTTP response splitting in WEBrick
    (boo#1087434)
  - CVE-2018-6914: Unintentional file and directory creation with
    directory traversal in tempfile and tmpdir (boo#1087441)
  - CVE-2018-8777: DoS by large request in WEBrick (boo#1087436)
  - CVE-2018-8778: Buffer under-read in String#unpack (boo#1087433)
  - CVE-2018-8779: Unintentional socket creation by poisoned NUL
    byte in UNIXServer and UNIXSocket (boo#1087440)
  - CVE-2018-8780: Unintentional directory traversal by poisoned
    NUL byte in Dir (boo#1087437)
  - Multiple vulnerabilities in RubyGems
    CVE-2018-1000079 (boo#1082058)
    CVE-2018-1000075 (boo#1082014)
    CVE-2018-1000078 (boo#1082011)
    CVE-2018-1000077 (boo#1082010)
    CVE-2018-1000076 (boo#1082009)
    CVE-2018-1000074 (boo#1082008)
    CVE-2018-1000073 (boo#1082007)

https://github.com/ruby/ruby/compare/v2_5_0...v2_5_1

-------------------------------------------------------------------
Tue Aug 28 00:28:27 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>

- added frozen-pop3.patch:
  Net::POPMail methods modify frozen literal when using default arg
  https://redmine.ruby-lang.org/issues/14416

-------------------------------------------------------------------
Thu Mar 22 15:50:06 UTC 2018 - mrueckert@suse.de

- wrong files where installed from the macro files after adding
  dump-version.rb

-------------------------------------------------------------------
Thu Jan 25 15:30:42 UTC 2018 - mrueckert@suse.de

- fix dump-versions.rb: it was picking up system rdoc versions on
  some source dirs

-------------------------------------------------------------------
Mon Jan 15 14:38:17 UTC 2018 - mrueckert@suse.de

- add reproducible build patches from debian
  0003-Mark-Gemspec-reproducible-change-fixing-784225-too.patch
  0004-Make-gemspecs-reproducible.patch

-------------------------------------------------------------------
Mon Dec 25 16:08:47 UTC 2017 - mrueckert@suse.de

- drop 316f58076d29dcff053256992d9ec19fed7e698f.patch
- no longer bundling bundler

-------------------------------------------------------------------
Mon Dec 25 15:57:38 UTC 2017 - mrueckert@suse.de

- update to 2.5.0 final
  Ruby 2.5.0 is the first stable release of the Ruby 2.5 series. It
  introduces many new features and performance improvements. The
  notable changes are as follows:

- New Features
    - rescue/else/ensure are now allowed to be used directly with
      do/end blocks. [Feature #12906]
    - Add yield_self to yield given block in its context. Unlike
      tap, it returns the result of the block. [Feature #6721]
    - Support branch coverage and method coverage measurement. The
      branch coverage indicates which branches are executed and
      which are not. The method coverage indicates which methods
      are invoked and which are not. By running the test suite with
      these new features, you will know which branches and methods
      are executed, and evaluate total coverage of the test suite
      more strictly. [Feature #13901]
    - Hash#slice [Feature #8499] and Hash#transform_keys [Feature
      #13583]
    - Struct.new can create classes that accept keyword arguments.
      [Feature #11925]
    - Enumerable#any?,all?,none? and one? accept a pattern argument
      [Feature #11286]
    - Top-level constant look-up is no longer available. [Feature
      #11547]
    - One of our most loved libraries, pp.rb, is now automatically
      loaded. You no longer have to write require "pp". [Feature
      #14123]
    - Print backtrace and error message in reverse order (oldest
      call first, most recent call last). When a long backtrace
      appears on your terminal (TTY), you can easily find the cause
      line at the bottom of the backtrace. Note that the order is
      reversed only when backtrace is printed out to the terminal
      directly. [Feature #8661] [experimental]
  - Performance improvements
    - About 5-10% performance improvement by removing all trace
      instructions from overall bytecode (instruction sequences).
      The trace instruction was added to support the TracePoint.
      However, in most cases, TracePoint is not used and trace
      instructions are pure overhead. Instead, now we use a dynamic
      instrumentation technique. See [Feature #14104] for more
      details.
    - Block passing by a block parameter (e.g. def foo(&b);
      bar(&b); end) is about 3 times faster than Ruby 2.4 by “Lazy
      Proc allocation” technique. [Feature #14045]
    - Mutex is rewritten to be smaller and faster. [Feature #13517]
    - ERB now generates code from a template which runs twice as
      fast as Ruby 2.4.
    - Improve performance of some built-in methods including
      Array#concat, Enumerable#sort_by, String#concat,
      String#index, Time#+ and more.
    - IO.copy_stream uses copy_file_range(2) to copy offload
      [Feature #13867]
  - Other notable changes since 2.4
    - SecureRandom now prefers OS-provided sources over OpenSSL.
      [Bug #9569]
    - Promote cmath, csv, date, dbm, etc, fcntl, fiddle, fileutils,
      gdbm, ipaddr, scanf, sdbm, stringio, strscan, webrick, zlib
      from standard libraries to default gems.
    - Update to Onigmo 6.1.3.
      - It adds the absence operator.
      - Note that Ruby 2.4.1 also includes this change.
    - Update to Psych 3.0.2.
    - Update to RubyGems 2.7.3.
    - Update to RDoc 6.0.1.
      - Switch the lexer from IRB based one to Ripper. This
        dramatically improves the performance of document
        generation.
      - Fix a significant amount of bugs that existed over ten
        years.
      - Add support for new Ruby syntax from the latest versions.
    - Update supported Unicode version to 10.0.0.
    - Thread.report_on_exception is now set to true by default.
      This change helps debugging of multi-threaded programs.
      [Feature #14143]
    - IO#write now receives multiple arguments [Feature #9323] For
      details see: https://github.com/ruby/ruby/blob/v2_5_0/NEWS
      https://github.com/ruby/ruby/compare/v2_4_0...v2_5_0

-------------------------------------------------------------------
Tue Dec 19 15:10:34 UTC 2017 - mrueckert@suse.de

- switch to https urls

-------------------------------------------------------------------
Mon Dec 18 15:13:28 UTC 2017 - mrueckert@suse.de

- update to 2.5.0~rc1
  https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-5-0-rc1-released/
- added 316f58076d29dcff053256992d9ec19fed7e698f.patch
  to fix building rbtrace and ruby-prof

-------------------------------------------------------------------
Mon Nov 20 11:01:40 UTC 2017 - mrueckert@suse.de

- disable jemalloc again because of: (boo#1068883)
  https://github.com/jemalloc/jemalloc/issues/937

-------------------------------------------------------------------
Fri Nov 17 11:19:29 UTC 2017 - mrueckert@suse.de

- update to 60813
  see installed /usr/share/doc/packages/ruby2.5/ChangeLog

-------------------------------------------------------------------
Wed Nov 15 11:11:11 UTC 2017 - mrueckert@suse.de

- update to 60739
  see installed /usr/share/doc/packages/ruby2.5/ChangeLog

-------------------------------------------------------------------
Wed Nov 15 11:03:36 UTC 2017 - mrueckert@suse.de

- make the whole u-a handling less error prone by having the list
  in variable ua-binaries

-------------------------------------------------------------------
Thu Nov  9 13:43:41 UTC 2017 - jdelvare@suse.de

- Add conflicts to libruby to make sure ruby and ruby-stdlib are
  also updated when libruby is updated (bsc#1048072.)

-------------------------------------------------------------------
Thu Nov  9 13:25:14 UTC 2017 - mrueckert@suse.de

- exclude all testsuites for the stdlib gems

-------------------------------------------------------------------
Wed Nov  8 15:16:52 UTC 2017 - mrueckert@suse.de

- build jemalloc

-------------------------------------------------------------------
Tue Oct 31 13:42:34 UTC 2017 - mrueckert@suse.de

- update to 60568
  see installed /usr/share/doc/packages/ruby2.5/ChangeLog
  - this fixes the "ruby -rubygems" on 2.5

-------------------------------------------------------------------
Wed Oct  4 12:40:16 UTC 2017 - mrueckert@suse.de

- update intree gem list
- bundler is now part of core too!

-------------------------------------------------------------------
Wed Oct  4 12:19:18 UTC 2017 - mrueckert@suse.de

- update to r60035:
  see installed /usr/share/doc/packages/ruby2.5/ChangeLog
- revert some of the wrong Group changes
- drop autoreconf -fi and the buildrequires for the related
  packages

-------------------------------------------------------------------
Fri Sep 22 15:37:46 UTC 2017 - mrueckert@suse.de

- make it easier to sync the versions from the gemspec with the
  spec file:
  ruby dump-versions.rb $unpacked_tarball_dir

-------------------------------------------------------------------
Fri Sep 22 14:54:24 UTC 2017 - mrueckert@suse.de

- add conflicts for all intree gems

-------------------------------------------------------------------
Mon Sep 11 15:42:29 UTC 2017 - jengelh@inai.de

- Fix RPM groups. Replace old RPM macros by modern ones.
- Ensure neutrality of descriptions.

-------------------------------------------------------------------
Fri Sep  8 10:14:38 UTC 2017 - mrueckert@suse.de

- update to 59623

-------------------------------------------------------------------
Wed Aug  9 11:02:18 UTC 2017 - mrueckert@suse.de

- fix gem provides
- install macro files with 2.5 version

-------------------------------------------------------------------
Wed Aug  9 09:34:09 UTC 2017 - mrueckert@suse.de

- initial package (Fate#324013)
- port 2 patches we still need from the 2.4 package:
  0001-make-gem-build-reproducible.patch
  0002-gc.c-tick-for-POWER-arch.patch

Places

File ruby2.5.changes of Package ruby2.5.SUSE_SLE-15_Update

Places