diff --git a/.cvsignore b/.cvsignore index 9dd3d12..97c8a0b 100644 --- a/.cvsignore +++ b/.cvsignore @@ -17,3 +17,4 @@ ruby-1.8.6-p36.tar.bz2 ruby-1.8.6-p110.tar.bz2 ruby-1.8.6-p111.tar.bz2 ruby-1.8.6-p114.tar.bz2 +ruby-1.8.6-p230.tar.bz2 diff --git a/ruby-1.8.6.111-CVE-2007-5162.patch b/ruby-1.8.6.111-CVE-2007-5162.patch deleted file mode 100644 index 5ed628d..0000000 --- a/ruby-1.8.6.111-CVE-2007-5162.patch +++ /dev/null @@ -1,97 +0,0 @@ -diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb ---- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb 2007-10-29 21:10:24.000000000 +0900 -@@ -29,13 +29,23 @@ require 'net/ftp' - - module Net - class FTPTLS < FTP -+ def connect(host, port=FTP_PORT) -+ @hostname = host -+ super -+ end -+ - def login(user = "anonymous", passwd = nil, acct = nil) -+ store = OpenSSL::X509::Store.new -+ store.set_default_paths - ctx = OpenSSL::SSL::SSLContext.new('SSLv23') -+ ctx.cert_store = store -+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER - ctx.key = nil - ctx.cert = nil - voidcmd("AUTH TLS") - @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx) - @sock.connect -+ @sock.post_connection_check(@hostname) - super(user, passwd, acct) - voidcmd("PBSZ 0") - end -diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb ---- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb 2007-10-29 21:13:03.000000000 +0900 -@@ -134,6 +134,9 @@ module Net - @sock.verify_callback = @options['VerifyCallback'] - @sock.verify_depth = @options['VerifyDepth'] - @sock.connect -+ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE -+ @sock.post_connection_check(@options['Host']) -+ end - @ssl = true - end - '' -diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb ---- ruby-1.8.6-p111.orig/lib/net/http.rb 2007-09-24 17:12:24.000000000 +0900 -+++ ruby-1.8.6-p111/lib/net/http.rb 2007-10-29 21:12:12.000000000 +0900 -@@ -470,7 +470,6 @@ module Net #:nodoc: - @debug_output = nil - @use_ssl = false - @ssl_context = nil -- @enable_post_connection_check = false - end - - def inspect -@@ -527,9 +526,6 @@ module Net #:nodoc: - false # redefined in net/https - end - -- # specify enabling SSL server certificate and hostname checking. -- attr_accessor :enable_post_connection_check -- - # Opens TCP connection and HTTP session. - # - # When this method is called with block, gives a HTTP object -@@ -589,12 +585,7 @@ module Net #:nodoc: - end - s.connect - if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE -- begin -- s.post_connection_check(@address) -- rescue OpenSSL::SSL::SSLError => ex -- raise ex if @enable_post_connection_check -- warn ex.message -- end -+ s.post_connection_check(@address) - end - end - on_connect -diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb ---- ruby-1.8.6-p111.orig/lib/net/imap.rb 2007-08-22 08:28:09.000000000 +0900 -+++ ruby-1.8.6-p111/lib/net/imap.rb 2007-10-29 21:14:38.000000000 +0900 -@@ -900,6 +900,7 @@ module Net - end - @sock = SSLSocket.new(@sock, context) - @sock.connect # start ssl session. -+ @sock.post_connection_check(@host) if verify - else - @usessl = false - end -diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb ---- ruby-1.8.6-p111.orig/lib/open-uri.rb 2007-09-24 17:12:24.000000000 +0900 -+++ ruby-1.8.6-p111/lib/open-uri.rb 2007-10-29 21:16:03.000000000 +0900 -@@ -229,7 +229,6 @@ module OpenURI - if target.class == URI::HTTPS - require 'net/https' - http.use_ssl = true -- http.enable_post_connection_check = true - http.verify_mode = OpenSSL::SSL::VERIFY_PEER - store = OpenSSL::X509::Store.new - store.set_default_paths diff --git a/ruby.spec b/ruby.spec index 4d0e325..3d6a2fb 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ %define rubyxver 1.8 %define rubyver 1.8.6 -%define _patchlevel 114 +%define _patchlevel 230 %define dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %define patchlevel %{?_patchlevel:-p%{_patchlevel}} %define arcver %{rubyver}%{?patchlevel} @@ -35,7 +35,6 @@ Patch20: ruby-rubyprefix.patch Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch -Patch24: ruby-1.8.6.111-CVE-2007-5162.patch Patch25: ruby-1.8.6.111-gcc43.patch Summary: An interpreter of object-oriented scripting language @@ -156,7 +155,6 @@ pushd %{name}-%{arcver} %patch22 -p1 %patch23 -p1 %endif -%patch24 -p1 %patch25 -p1 popd @@ -514,6 +512,17 @@ rm -rf tmp-ruby-docs %endif %changelog +* Tue Jun 24 2008 Akira TAGOH - 1.8.6.230-1 +- New upstream release. +- Security fixes. (#452293) + - CVE-2008-1891: WEBrick CGI source disclosure. + - CVE-2008-2662: Integer overflow in rb_str_buf_append(). + - CVE-2008-2663: Integer overflow in rb_ary_store(). + - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). + - CVE-2008-2725: Integer overflow in rb_ary_splice(). + - CVE-2008-2726: Integer overflow in rb_ary_splice(). +- ruby-1.8.6.111-CVE-2007-5162.patch: removed. + * Tue Mar 4 2008 Akira TAGOH - 1.8.6.114-1 - Security fix for CVE-2008-1145. - Improve a spec file. (#226381) diff --git a/sources b/sources index dff6ae6..33ddadd 100644 --- a/sources +++ b/sources @@ -2,4 +2,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz 634c25b14e19925d10af3720d72e8741 rubyfaq-990927.tar.gz 4fcec898f51d8371cc42d0a013940469 rubyfaq-jp-990927.tar.gz -b4d0c74497f684814bcfbb41b7384a71 ruby-1.8.6-p114.tar.bz2 +3eceb42d4fc56398676c20a49ac7e044 ruby-1.8.6-p230.tar.bz2