From 1fcd74d94a59748c92e6753c625ae13985483bef Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 26 2018 09:13:29 +0000 Subject: import rh-ruby24-ruby-2.4.3-90.el7 --- diff --git a/.gitignore b/.gitignore index 269a4ea..036131d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/ruby-2.4.2.tar.xz +SOURCES/ruby-2.4.3.tar.xz diff --git a/.rh-ruby24-ruby.metadata b/.rh-ruby24-ruby.metadata index 50856a5..37ee9a5 100644 --- a/.rh-ruby24-ruby.metadata +++ b/.rh-ruby24-ruby.metadata @@ -1 +1 @@ -8373e32c63bba2180799da091b572664aa9faf6f SOURCES/ruby-2.4.2.tar.xz +f0a49dddb4e7903a11a80554fd7a317a854cd365 SOURCES/ruby-2.4.3.tar.xz diff --git a/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch b/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch index 3e29d1b..3379869 100644 --- a/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch +++ b/SOURCES/ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch @@ -39,7 +39,7 @@ diff --git a/configure.in b/configure.in index 0e371e2..d4f1dcb 100644 --- a/configure.in +++ b/configure.in -@@ -4563,6 +4563,13 @@ AC_SUBST(rubyarchhdrdir)dnl +@@ -4565,6 +4565,13 @@ AC_SUBST(rubyarchhdrdir)dnl AC_SUBST(sitearchhdrdir)dnl AC_SUBST(vendorarchhdrdir)dnl diff --git a/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch b/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch index bc75f5e..5639c18 100644 --- a/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch +++ b/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 37d9a62..553d4d0 100644 --- a/configure.in +++ b/configure.in -@@ -3823,6 +3823,11 @@ if test ${multiarch+set}; then +@@ -3825,6 +3825,11 @@ if test ${multiarch+set}; then fi archlibdir='${libdir}/${arch}' diff --git a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch index 489a1b8..a06d8a7 100644 --- a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch +++ b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch @@ -14,7 +14,7 @@ diff --git a/configure.in b/configure.in index db37cd6..ce8d149 100644 --- a/configure.in +++ b/configure.in -@@ -4417,7 +4417,8 @@ AS_CASE(["$ruby_version_dir_name"], +@@ -4419,7 +4419,8 @@ AS_CASE(["$ruby_version_dir_name"], ruby_version_dir=/'${ruby_version_dir_name}' if test -z "${ruby_version_dir_name}"; then diff --git a/SOURCES/ruby-2.1.0-always-use-i386.patch b/SOURCES/ruby-2.1.0-always-use-i386.patch index 238cd66..21265fd 100644 --- a/SOURCES/ruby-2.1.0-always-use-i386.patch +++ b/SOURCES/ruby-2.1.0-always-use-i386.patch @@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in index 553d4d0..03a4152 100644 --- a/configure.in +++ b/configure.in -@@ -4481,6 +4481,8 @@ AC_SUBST(vendorarchdir)dnl +@@ -4483,6 +4483,8 @@ AC_SUBST(vendorarchdir)dnl AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl diff --git a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch index 1905381..3019ad5 100644 --- a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch +++ b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch @@ -15,7 +15,7 @@ diff --git a/configure.in b/configure.in index 03a4152..0e371e2 100644 --- a/configure.in +++ b/configure.in -@@ -4453,6 +4453,10 @@ AC_ARG_WITH(vendorarchdir, +@@ -4455,6 +4455,10 @@ AC_ARG_WITH(vendorarchdir, [vendorarchdir=$withval], [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}]) @@ -26,7 +26,7 @@ index 03a4152..0e371e2 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) RUBY_EXEC_PREFIX='' -@@ -4477,6 +4481,7 @@ AC_SUBST(sitearchdir)dnl +@@ -4479,6 +4483,7 @@ AC_SUBST(sitearchdir)dnl AC_SUBST(vendordir)dnl AC_SUBST(vendorlibdir)dnl AC_SUBST(vendorarchdir)dnl diff --git a/SOURCES/ruby-2.3.0-ruby_version.patch b/SOURCES/ruby-2.3.0-ruby_version.patch index 80be728..1db4c64 100644 --- a/SOURCES/ruby-2.3.0-ruby_version.patch +++ b/SOURCES/ruby-2.3.0-ruby_version.patch @@ -20,7 +20,7 @@ diff --git a/configure.in b/configure.in index db37cd6..6e73fae 100644 --- a/configure.in +++ b/configure.in -@@ -4368,9 +4368,6 @@ AS_CASE(["$target_os"], +@@ -4370,9 +4370,6 @@ AS_CASE(["$target_os"], rubyw_install_name='$(RUBYW_INSTALL_NAME)' ]) @@ -30,7 +30,7 @@ index db37cd6..6e73fae 100644 rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'} AC_ARG_WITH(rubyarchprefix, AS_HELP_STRING([--with-rubyarchprefix=DIR], -@@ -4393,56 +4390,62 @@ AC_ARG_WITH(ridir, +@@ -4395,56 +4392,62 @@ AC_ARG_WITH(ridir, AC_SUBST(ridir) AC_SUBST(RI_BASE_NAME) @@ -120,7 +120,7 @@ index db37cd6..6e73fae 100644 if test "${LOAD_RELATIVE+set}"; then AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) -@@ -4459,6 +4462,7 @@ AC_SUBST(sitearchincludedir)dnl +@@ -4461,6 +4464,7 @@ AC_SUBST(sitearchincludedir)dnl AC_SUBST(arch)dnl AC_SUBST(sitearch)dnl AC_SUBST(ruby_version)dnl diff --git a/SOURCES/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch b/SOURCES/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch deleted file mode 100644 index a7272f0..0000000 --- a/SOURCES/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 1281e56682692859e726e24fff30e44aac6f948b Mon Sep 17 00:00:00 2001 -From: nagachika -Date: Wed, 11 Oct 2017 13:48:14 +0000 -Subject: [PATCH] merge revision(s) 60149: [Backport #14003] - - Merge rubygems-2.6.14 changes. - - It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html - -git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@60168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e ---- - lib/rubygems.rb | 5 +++-- - lib/rubygems/config_file.rb | 2 +- - lib/rubygems/package.rb | 2 +- - lib/rubygems/package/old.rb | 2 +- - lib/rubygems/safe_yaml.rb | 48 +++++++++++++++++++++++++++++++++++++++++++ - lib/rubygems/specification.rb | 2 +- - 6 files changed, 55 insertions(+), 6 deletions(-) - create mode 100644 lib/rubygems/safe_yaml.rb - -diff --git a/lib/rubygems.rb b/lib/rubygems.rb -index 55aa85b8b2bd..0685bcb3c629 100644 ---- a/lib/rubygems.rb -+++ b/lib/rubygems.rb -@@ -10,7 +10,7 @@ - require 'thread' - - module Gem -- VERSION = "2.6.13" -+ VERSION = "2.6.14" - end - - # Must be first since it unloads the prelude from 1.9.2 -@@ -675,7 +675,7 @@ def self.load_yaml - - unless test_syck - begin -- gem 'psych', '>= 1.2.1' -+ gem 'psych', '>= 2.0.0' - rescue Gem::LoadError - # It's OK if the user does not have the psych gem installed. We will - # attempt to require the stdlib version -@@ -699,6 +699,7 @@ def self.load_yaml - end - - require 'yaml' -+ require 'rubygems/safe_yaml' - - # If we're supposed to be using syck, then we may have to force - # activate it via the YAML::ENGINE API. -diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb -index c95d7dd1f14e..63583b361615 100644 ---- a/lib/rubygems/config_file.rb -+++ b/lib/rubygems/config_file.rb -@@ -345,7 +345,7 @@ def load_file(filename) - return {} unless filename and File.exist? filename - - begin -- content = YAML.load(File.read(filename)) -+ content = Gem::SafeYAML.load(File.read(filename)) - unless content.kind_of? Hash - warn "Failed to load #{filename} because it doesn't contain valid YAML hash" - return {} -diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb -index c36e71d800a2..77811ed5ecaa 100644 ---- a/lib/rubygems/package.rb -+++ b/lib/rubygems/package.rb -@@ -468,7 +468,7 @@ def read_checksums gem - - @checksums = gem.seek 'checksums.yaml.gz' do |entry| - Zlib::GzipReader.wrap entry do |gz_io| -- YAML.load gz_io.read -+ Gem::SafeYAML.safe_load gz_io.read - end - end - end -diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb -index 5e722baa3540..071f7141ab78 100644 ---- a/lib/rubygems/package/old.rb -+++ b/lib/rubygems/package/old.rb -@@ -101,7 +101,7 @@ def file_list io # :nodoc: - header << line - end - -- YAML.load header -+ Gem::SafeYAML.safe_load header - end - - ## -diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb -new file mode 100644 -index 000000000000..b98cfaa5e60d ---- /dev/null -+++ b/lib/rubygems/safe_yaml.rb -@@ -0,0 +1,48 @@ -+module Gem -+ -+ ### -+ # This module is used for safely loading YAML specs from a gem. The -+ # `safe_load` method defined on this module is specifically designed for -+ # loading Gem specifications. For loading other YAML safely, please see -+ # Psych.safe_load -+ -+ module SafeYAML -+ WHITELISTED_CLASSES = %w( -+ Symbol -+ Time -+ Date -+ Gem::Dependency -+ Gem::Platform -+ Gem::Requirement -+ Gem::Specification -+ Gem::Version -+ Gem::Version::Requirement -+ YAML::Syck::DefaultKey -+ Syck::DefaultKey -+ ) -+ -+ WHITELISTED_SYMBOLS = %w( -+ development -+ runtime -+ ) -+ -+ if ::YAML.respond_to? :safe_load -+ def self.safe_load input -+ ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true) -+ end -+ -+ def self.load input -+ ::YAML.safe_load(input, [::Symbol]) -+ end -+ else -+ warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." -+ def self.safe_load input, *args -+ ::YAML.load input -+ end -+ -+ def self.load input -+ ::YAML.load input -+ end -+ end -+ end -+end -diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb -index 88e320c05ac9..40e3a70d476c 100644 ---- a/lib/rubygems/specification.rb -+++ b/lib/rubygems/specification.rb -@@ -1101,7 +1101,7 @@ def self.from_yaml(input) - Gem.load_yaml - - input = normalize_yaml_input input -- spec = YAML.load input -+ spec = Gem::SafeYAML.safe_load input - - if spec && spec.class == FalseClass then - raise Gem::EndOfYAMLException diff --git a/SOURCES/ruby-2.5.0-Disable-Tokyo-TZ-tests.patch b/SOURCES/ruby-2.5.0-Disable-Tokyo-TZ-tests.patch new file mode 100644 index 0000000..01632eb --- /dev/null +++ b/SOURCES/ruby-2.5.0-Disable-Tokyo-TZ-tests.patch @@ -0,0 +1,30 @@ +diff --git a/test/ruby/test_time_tz.rb b/test/ruby/test_time_tz.rb +index 20a57fe7dd..5b9e5a8bde 100644 +--- a/test/ruby/test_time_tz.rb ++++ b/test/ruby/test_time_tz.rb +@@ -126,8 +126,8 @@ def test_asia_singapore + + def test_asia_tokyo + with_tz(tz="Asia/Tokyo") { +- assert_time_constructor(tz, "1951-05-06 03:00:00 +1000", :local, [1951,5,6,2,0,0]) +- assert_time_constructor(tz, "1951-05-06 03:59:59 +1000", :local, [1951,5,6,2,59,59]) ++# assert_time_constructor(tz, "1951-05-06 03:00:00 +1000", :local, [1951,5,6,2,0,0]) ++# assert_time_constructor(tz, "1951-05-06 03:59:59 +1000", :local, [1951,5,6,2,59,59]) + assert_time_constructor(tz, "2010-06-10 06:13:28 +0900", :local, [2010,6,10,6,13,28]) + } + end +@@ -329,10 +329,10 @@ def self.gen_zdump_test(data) + Asia/Singapore Sun Aug 8 16:30:00 1965 UTC = Mon Aug 9 00:00:00 1965 SGT isdst=0 gmtoff=27000 + Asia/Singapore Thu Dec 31 16:29:59 1981 UTC = Thu Dec 31 23:59:59 1981 SGT isdst=0 gmtoff=27000 + Asia/Singapore Thu Dec 31 16:30:00 1981 UTC = Fri Jan 1 00:30:00 1982 SGT isdst=0 gmtoff=28800 +-Asia/Tokyo Sat May 5 16:59:59 1951 UTC = Sun May 6 01:59:59 1951 JST isdst=0 gmtoff=32400 +-Asia/Tokyo Sat May 5 17:00:00 1951 UTC = Sun May 6 03:00:00 1951 JDT isdst=1 gmtoff=36000 +-Asia/Tokyo Fri Sep 7 15:59:59 1951 UTC = Sat Sep 8 01:59:59 1951 JDT isdst=1 gmtoff=36000 +-Asia/Tokyo Fri Sep 7 16:00:00 1951 UTC = Sat Sep 8 01:00:00 1951 JST isdst=0 gmtoff=32400 ++#Asia/Tokyo Sat May 5 16:59:59 1951 UTC = Sun May 6 01:59:59 1951 JST isdst=0 gmtoff=32400 ++#Asia/Tokyo Sat May 5 17:00:00 1951 UTC = Sun May 6 03:00:00 1951 JDT isdst=1 gmtoff=36000 ++#Asia/Tokyo Fri Sep 7 15:59:59 1951 UTC = Sat Sep 8 01:59:59 1951 JDT isdst=1 gmtoff=36000 ++#Asia/Tokyo Fri Sep 7 16:00:00 1951 UTC = Sat Sep 8 01:00:00 1951 JST isdst=0 gmtoff=32400 + America/St_Johns Sun Mar 11 03:30:59 2007 UTC = Sun Mar 11 00:00:59 2007 NST isdst=0 gmtoff=-12600 + America/St_Johns Sun Mar 11 03:31:00 2007 UTC = Sun Mar 11 01:01:00 2007 NDT isdst=1 gmtoff=-9000 + America/St_Johns Sun Nov 4 02:30:59 2007 UTC = Sun Nov 4 00:00:59 2007 NDT isdst=1 gmtoff=-9000 diff --git a/SOURCES/ruby-2.5.0-Fixed-command-Injection.patch b/SOURCES/ruby-2.5.0-Fixed-command-Injection.patch new file mode 100644 index 0000000..21bb48e --- /dev/null +++ b/SOURCES/ruby-2.5.0-Fixed-command-Injection.patch @@ -0,0 +1,156 @@ +From ba0d5f7a6df6ba5545c3ce0b09e107e10d082d49 Mon Sep 17 00:00:00 2001 +From: nobu +Date: Wed, 20 Dec 2017 04:18:31 +0000 +Subject: [PATCH 1/3] Fixed command Injection + +* resolv.rb (Resolv::Hosts#lazy_initialize): fixed potential + command Injection in Hosts::new() by use of Kernel#open. + [Fix GH-1777] [ruby-core:84347] [Bug #14205] + +From: Drigg3r + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61349 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + lib/resolv.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/resolv.rb b/lib/resolv.rb +index 1044b95e68..56183b837d 100644 +--- a/lib/resolv.rb ++++ b/lib/resolv.rb +@@ -189,7 +189,7 @@ def lazy_initialize # :nodoc: + unless @initialized + @name2addr = {} + @addr2name = {} +- open(@filename, 'rb') {|f| ++ File.open(@filename, 'rb') {|f| + f.each {|line| + line.sub!(/#.*/, '') + addr, hostname, *aliases = line.split(/\s+/) +-- +2.15.1 + + +From 0b6213635018ef73567388c1095ad1c556e1f4ee Mon Sep 17 00:00:00 2001 +From: nobu +Date: Wed, 20 Dec 2017 04:25:01 +0000 +Subject: [PATCH 2/3] Fixed command Injection + +* lib/resolv.rb (Resolv::Config.parse_resolv_conf): fixed + potential command injection by use of Kernel#open. + [ruby-core:84347] [Bug #14205] + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61351 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + lib/resolv.rb | 2 +- + test/resolv/test_addr.rb | 11 +++++++++++ + test/resolv/test_dns.rb | 10 ++++++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/lib/resolv.rb b/lib/resolv.rb +index 56183b837d..48ee400efe 100644 +--- a/lib/resolv.rb ++++ b/lib/resolv.rb +@@ -929,7 +929,7 @@ def Config.parse_resolv_conf(filename) + nameserver = [] + search = nil + ndots = 1 +- open(filename, 'rb') {|f| ++ File.open(filename, 'rb') {|f| + f.each {|line| + line.sub!(/[#;].*/, '') + keyword, *args = line.split(/\s+/) +diff --git a/test/resolv/test_addr.rb b/test/resolv/test_addr.rb +index 4a2df5bfca..78a28c9633 100644 +--- a/test/resolv/test_addr.rb ++++ b/test/resolv/test_addr.rb +@@ -27,4 +27,15 @@ def test_invalid_byte_comment + end + end + end ++ ++ def test_hosts_by_command ++ Dir.mktmpdir do |dir| ++ Dir.chdir(dir) do ++ hosts = Resolv::Hosts.new("|echo error") ++ assert_raise(Errno::ENOENT) do ++ hosts.each_name("") {} ++ end ++ end ++ end ++ end + end +diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb +index f21a094b20..8236078374 100644 +--- a/test/resolv/test_dns.rb ++++ b/test/resolv/test_dns.rb +@@ -179,6 +179,16 @@ def test_invalid_byte_comment + end + end + ++ def test_resolv_conf_by_command ++ Dir.mktmpdir do |dir| ++ Dir.chdir(dir) do ++ assert_raise(Errno::ENOENT) do ++ Resolv::DNS::Config.parse_resolv_conf("|echo foo") ++ end ++ end ++ end ++ end ++ + def test_dots_diffences + name1 = Resolv::DNS::Name.create("example.org") + name2 = Resolv::DNS::Name.create("ex.ampl.eo.rg") +-- +2.15.1 + + +From dd71a5a9a459dbda9b9a4786f6a0b5bd59a81aae Mon Sep 17 00:00:00 2001 +From: usa +Date: Wed, 20 Dec 2017 16:04:41 +0000 +Subject: [PATCH 3/3] fix test errors on Windows + + * test/resolv/test_addr.rb (test_hosts_by_command): on Windows, `|` is + invalid charactor for path and raises `Errno::EINVAL` if trying to + open. + + * test/resolv/test_dns.rb (test_resolv_conf_by_command): ditto. + + cf. [Bug #14205] + + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61374 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + test/resolv/test_addr.rb | 2 +- + test/resolv/test_dns.rb | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/resolv/test_addr.rb b/test/resolv/test_addr.rb +index 78a28c9633..14ec2651ab 100644 +--- a/test/resolv/test_addr.rb ++++ b/test/resolv/test_addr.rb +@@ -32,7 +32,7 @@ def test_hosts_by_command + Dir.mktmpdir do |dir| + Dir.chdir(dir) do + hosts = Resolv::Hosts.new("|echo error") +- assert_raise(Errno::ENOENT) do ++ assert_raise(Errno::ENOENT, Errno::EINVAL) do + hosts.each_name("") {} + end + end +diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb +index 8236078374..1b44f32807 100644 +--- a/test/resolv/test_dns.rb ++++ b/test/resolv/test_dns.rb +@@ -182,7 +182,7 @@ def test_invalid_byte_comment + def test_resolv_conf_by_command + Dir.mktmpdir do |dir| + Dir.chdir(dir) do +- assert_raise(Errno::ENOENT) do ++ assert_raise(Errno::ENOENT, Errno::EINVAL) do + Resolv::DNS::Config.parse_resolv_conf("|echo foo") + end + end +-- +2.15.1 + diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index 9c083d3..9431546 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -3,7 +3,7 @@ %global major_version 2 %global minor_version 4 -%global teeny_version 2 +%global teeny_version 3 %global major_minor_version %{major_version}.%{minor_version} %global ruby_version %{major_minor_version}.%{teeny_version} @@ -24,7 +24,7 @@ %endif -%global release 86 +%global release 90 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -140,10 +140,13 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch # hardening features of glibc (rhbz#1361037). # https://bugs.ruby-lang.org/issues/12666 Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch -# CVE-2017-0903: Fix unsafe object deserialization through YAML formatted gem -# specifications. -# https://bugs.ruby-lang.org/issues/14003 -Patch10: ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch +# Recent tzdata change breaks Ruby test suite. +# https://bugs.ruby-lang.org/issues/14438 +Patch10: ruby-2.5.0-Disable-Tokyo-TZ-tests.patch +# CVE-2017-17790 - Command injection in lib/resolv.rb:lazy_initialize() allows +# arbitrary code execution +# https://bugs.ruby-lang.org/issues/14205 +Patch11: ruby-2.5.0-Fixed-command-Injection.patch Requires: %{?scl_prefix}%{pkg_name}-libs%{?_isa} = %{version}-%{release} Requires: %{?scl_prefix}ruby(rubygems) >= %{rubygems_version} @@ -519,6 +522,7 @@ rm -rf ext/fiddle/libffi* %patch7 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 # Allow to use autoconf 2.63. sed -i '/AC_PREREQ/ s/(.*)/(2.62)/' configure.in @@ -1057,6 +1061,20 @@ make check TESTS="-v $DISABLE_TESTS" %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %changelog +* Mon Mar 12 2018 Pavel Valena - 2.4.3-90 +- Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code + execution(CVE-2017-17790). + * ruby-2.5.0-Fixed-command-Injection.patch + Related: rhbz#1549651 + +* Mon Feb 12 2018 Pavel Valena - 2.4.3-89 +- Upgrade to Ruby 2.4.3. + Resolves: rhbz#1549651 + Resolves: CVE-2017-17405 + * Remove Patch10: ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization + -vulnerability.patch + subsumed + * Mon Oct 30 2017 Vít Ondruch - 2.4.2-86 - Upgrade to Ruby 2.4.2. * Remove Patch10: ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch;