-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 14 Nov 2017 11:06:39 -0200 Source: ruby2.3 Binary: ruby2.3 libruby2.3 ruby2.3-dev ruby2.3-doc ruby2.3-tcltk Architecture: source Version: 2.3.5-1 Distribution: unstable Urgency: medium Maintainer: Antonio Terceiro <terce...@debian.org> Changed-By: Antonio Terceiro <terce...@debian.org> Description: libruby2.3 - Libraries necessary to run Ruby 2.3 ruby2.3 - Interpreter of object-oriented scripting language Ruby ruby2.3-dev - Header files for compiling extension modules for the Ruby 2.3 ruby2.3-doc - Documentation for Ruby 2.3 ruby2.3-tcltk - Ruby/Tk for Ruby 2.3 Closes: 842432 853648 864860 873802 873906 875928 875931 875936 879231 Changes: ruby2.3 (2.3.5-1) unstable; urgency=medium . * New upstream release. - Includes fix for building with GCC 7 (Closes: #853648) - Included security fixes - Buffer underrun vulnerability in OpenSSL ASN1 decode [CVE-2017-14033] (Closes: #875928) - Escape sequence injection vulnerability in the Basic authentication of WEBrick [CVE-2017-10784] (Closes: #875931) - Buffer underrun vulnerability in Kernel.sprintf [CVE-2017-0898] (Closes: #875936) - Multiple security vulnerabilities in Rubygems (Closes: #873802) - DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins. [CVE-2017-0902] - ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix. [CVE-2017-0899] - DOS vulernerability in the query command. Discovered by Yusuke Endoh, fix by Samuel Giddins. [CVE-2017-0900] - Vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins. [CVE-2017-0901] - Arbitrary heap exposure problem in the JSON library [CVE-2017-14064] (Closes: #873906) - SMTP comment injection [CVE-2015-9096] (Closes: #864860) - IV Reuse in GCM Mode in the OpenSSL bindings [CVE-2016-7798] (Closes: #842432) * Whitelist classes and symbols that are in Gem spec YAML [CVE-2017-0903] (Closes: #879231) Original patch by Aaron Patterson; backported from the standalone Rubygems package * Convert packaging from using a plain git history to using gbp-pq, thus making debian individual patches explicitly present in debian/patches * Refresh debian/libruby2.3.symbols. There are some removed symbols, but they are never exposed in a header file so there should be no packages using them. Checksums-Sha1: 0a663eef9e8e7887c99be32ffb1d841d9efcad04 2475 ruby2.3_2.3.5-1.dsc 07c5db8a364db80b02a0e2b632bb7c278c84f62e 12916814 ruby2.3_2.3.5.orig.tar.gz 49f717c776700f4e89f7d2eca7270a5e3b1c0986 96268 ruby2.3_2.3.5-1.debian.tar.xz bfc7dd16726802706ce9454ab72ce5adda45b082 6346 ruby2.3_2.3.5-1_source.buildinfo Checksums-Sha256: ee10ece2064e88d914466587b2023f3d3faf30136d7e6c8170cd1952225f8b46 2475 ruby2.3_2.3.5-1.dsc c11d5f0f866e021cea7e3eaeb2f83525734c2b71d5db283e5ee3d878fb0e16cc 12916814 ruby2.3_2.3.5.orig.tar.gz 5f75c3f3a2dec42b7228715544ec9e4fe2529a215b33689348405f9b40eabdb8 96268 ruby2.3_2.3.5-1.debian.tar.xz f46d5e90c8b4aee45fc8f32ea6b86b51ed9496b57c96643e2768fa044d285a39 6346 ruby2.3_2.3.5-1_source.buildinfo Files: 1ad047d2760c26c2d81909c31acbaa67 2475 ruby optional ruby2.3_2.3.5-1.dsc c06d11091cb8dc594f306909786246a9 12916814 ruby optional ruby2.3_2.3.5.orig.tar.gz a643704eae7f72c9524a90a0f79b39c0 96268 ruby optional ruby2.3_2.3.5-1.debian.tar.xz ccbe18fe4782de6640ce328073fc0667 6346 ruby optional ruby2.3_2.3.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAloK7i0ACgkQ/A2xu81G C979OQ/9HmYzXEzUuL77XvZDpNdKVOYWYhmZX1y9ONresHZfypg3dSt8LGuPRpOc U0Yz9bZzV2rvHctx+AMV+/x0eCuEprYeKi4aMeO4/iiSkdDCZX9wzaPpWraNgk1C 5QzztkmzoyjNrynHjKCxMGh0MeeeQBTbqmeT2oIMDNLPMeOTCOY0cWTBDA2vla9Z LS2Q02LrNvqArbozu7fxFdUulJrEdpaZCba6+0Od3cb54/ChHQV5xo8mmjEEtb0x E7drXreYW2vMdb3Fc34wBk7sosRjDVYsTKFmzp113ik7eSHxrKuWKyxQmKuv5eOm 7gyn3gDqrA4RbNXr0hklbmot4WjFxFkaFt2WaKL26vwIIE42iO1Vqen9HvcyToK5 DCGQU7ZvUIcL8xVsEq5xR4ajlXdaqbEO8SI1wOup6juqtbnqv06jGD1/NR1dttdY MXfLFlYBVyInkB/7g1SXB6FeveAzK92fvRWV7yrRKC2plxl9WkUNSRcnln635LCh qhb82nmk15UjzWLbNq+AUbxMGRBNv0qQKkZGmgipltB1HCIxTSqZZqzAu0jG8tYX C8WKBPZF/lMl5FNIm91AKAZ16bQQS0z7eS2PX/TM9RLC4nHzV+d0qCIDJX8r73EN V2kHa+3eioQd95PTijQ4zedsyOZoTkCGT0MarHTJKnUjwf2eKEY= =WGPi -----END PGP SIGNATURE-----