ruby2.0 (2.0.0.484-1ubuntu2.13) trusty-security; urgency=medium

  * SECURITY UPDATE: Delete directory using symlink when decompressing tar,
    Escape sequence injection vulnerability in gem owner, Escape sequence
    injection vulnerability in API response handling, Arbitrary code exec,
    Escape sequence injection vulnerability in errors
    - debian/patches/CVE-2019-8320-25.patch: fix in
      lib/rubygems/command_manager.rb,
      lib/rubygems/commands/owner_command.rb,
      lib/rubygems/gemcutter_utilities.rb,
      lib/rubygems/installer.rb,
      lib/rubygems/package.rb,
      test/rubygems/test_gem_installer.rb,
      test/rubygems/test_gem_package.rb,
      test/rubygems/test_gem_text.rb.
    - CVE-2019-8320
    - CVE-2019-8321
    - CVE-2019-8322
    - CVE-2019-8323
    - CVE-2019-8324
    - CVE-2019-8325
  * Fixing expired certification that causes tests to fail
    - debian/patches/fixing_expired_SSL_certificates.patch: updating certs in
      test/net/imap/cacert.pen, test/net/imap/server.crt,
      test/net/imap/server.key.

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Fri, 29 Mar 2019 12:53:02 -0300

ruby2.0 (2.0.0.484-1ubuntu2.11) trusty-security; urgency=medium

  * SECURITY UPDATE: Name equality check
    - debian/patches/CVE-2018-16395.patch: fix in
      ext/openssl/ossl_x509name.c.
    - CVE-2018-16395
  * SECURITY UPDATE: Tainted flags not propagted
    - debian/patches/CVE-2018-16396.patch: fix in
      pack.c, test/ruby/test_pack.rb.
    - CVE-2018-16396

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 29 Oct 2018 14:09:40 -0300

ruby2.0 (2.0.0.484-1ubuntu2.10) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS vulnerability in query command
    - debian/patches/CVE-2017-0901-0902.patch
      patch extracted from debian Wheezy.
    - CVE-2017-0901
    - CVE-2017-0902
  * SECURITY UPDATE: Remote code execution
    - debian/patches/CVE-2017-0903.patch: fix in lib/rubygems.rb,
      lib/rubygems/config_file.rb, lib/rubygems/safe_yaml.rb,
      lib/rubygems/specification.rb.
    - CVE-2017-0903
  * SECURITY UPDATE: possibly execute arbitrary commands via a crafted user name
    - debian/patches/CVE-2017-10784.patch: sanitize any type of logs in
      lib/webrick/httpstatus.rb, lib/webrick/log.rb and test/webrick/test_httpauth.rb.
    - CVE-2017-10784
  * SECURITY UPDATE: Arbitrary memory expose during a JSON.generate call
    - debian/patches/CVE-2017-14064.patch: fix this in
      ext/json/ext/generator/generator.c and ext/json/ext/generator/generator.h.
    - CVE-2017-14064
  * SECURITY UPDATE: Malicious format string - buffer overrun
    - debian/patches/CVE-2017-0898.patch: fix in sprintf.c,
      test/ruby/test_sprintf.rb.
    - CVE-2017-0898
  * SECURITY UPDATE: Response splitting attack
    - debian/patches/CVE-2017-17742*.patch: fix in webrick/httpresponse.rb,
    - CVE-2017-17742
  * SECURITY UPDATE: Deserialization untrusted data
    - debian/patches/CVE-2018-1000074.patch fix in
      lib/rubygems/commands/owner_command.rb,
    - CVE-2018-1000074
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-8777*.patch: fix in lib/webrick/httpresponse.rb,
      lib/webrick/httpservlet/filehandler.rb,
    - CVE-2018-8777

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 11 Jun 2018 12:03:55 -0300

ruby2.0 (2.0.0.484-1ubuntu2.9) trusty-security; urgency=medium

  * SECURITY UPDATE: Directory traversal vulnerability
    - debian/patches/CVE-2018-6914.patch: fix in lib/tmpdir.rb,
      test/test_tempfile.rb.
    - CVE-2018-6914
  * SECURITY UPDATE: Buffer under-read
    - debian/patches/CVE-2018-8778.patch: fix in pack.c,
      test/ruby/test_pack.rb.
    - CVE-2018-8778
  * SECURITY UPDATE: Unintended socket
    - debian/patches/CVE-2018-8779.patch: fix in ext/socket/unixsocket.c,
      test/socket/test_unix.rb.
    - CVE-2018-8779
  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-8780.patch: fix in dir.c,
      test/ruby/test_dir.rb.
    - CVE-2018-8780

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 16 Apr 2018 11:03:32 -0300

ruby2.0 (2.0.0.484-1ubuntu2.8) trusty-security; urgency=medium

  * SECURITY REGRESSION: The fix for CVE-2018-1000074 was incomplete
    and will be addressed in a future update.

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Fri, 13 Apr 2018 10:37:58 -0300

ruby2.0 (2.0.0.484-1ubuntu2.6) trusty-security; urgency=medium

  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-1000073.patch: fix in
      lib/rubygems/package.rb.
    - CVE-2018-1000073
  * SECURITY UPDATE: Deserialization untrusted data
    - debian/patches/CVE-2018-1000074.patch fix in
      lib/rubygems/commands/owner_command.rb,
      test/rubygems/test_gem_commands_owner_command.rb.
    - CVE-2018-1000074
  * SECURITY UPDATE: Infinite loop
    - debian/patches/CVE-2018-1000075.patch: fix in
      lib/rubygems/package/tar_header.rb,
      test/rubygems/test_gem_package_tar_header.rb.
    - CVE-2018-1000075
  * SECURITY UPDATE: Improper verification of crypto
    signature
    - debian/patches/CVE-2018-1000076.patch: fix in
      lib/rubygems/package.rb, lib/rubygems/pacage/tar_writer.rb,
      test/rubygems/test_gem_pacakge.rg
    - CVE-2018-1000076
  * SECURITY UPDATE: Validation vulnerability
    - debian/patches/CVE-2018-1000077.patch: fix in
      lib/rubygems/specification.rb,
      test/rubygems/test_gem_specification.rb.
    - CVE-2018-1000077
  * SECURITY UPDATE: Cross site scripting
    - debian/patches/CVE-2018-1000078.patch: fix in
      lib/rubygems/server.rb.
    - CVE-2018-1000078
  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-1000079.patch: fix in
      lib/rubygems/package.rb, test/rubygems/test_gem_package.rb.
    - CVE-2018-1000079

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Tue, 03 Apr 2018 15:37:15 -0300

ruby2.0 (2.0.0.484-1ubuntu2.5) trusty-security; urgency=medium

  * SECURITY UPDATE: command injection through Net::FTP
    - debian/patches/CVE-2017-17405.patch: fix command injection
      in lib/net/ftp.rb, test/net/ftp/test_ftp.rb.
    - CVE-2017-17405

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 18 Dec 2017 15:53:12 -0300

ruby2.0 (2.0.0.484-1ubuntu2.4) trusty-security; urgency=medium

  * SECURITY UPDATE: incorrect hostname matching
    - debian/patches/CVE-2015-1855.patch: implement stricter hostname
      validation per RFC 6125 in ext/openssl/lib/openssl/ssl.rb, added
      tests to test/openssl/test_ssl.rb.
    - CVE-2015-1855
  * SECURITY UPDATE: DoS and possible code execution in Fiddle::Handle
    - debian/patches/CVE-2015-7551.patch: check tainted string arguments in
      ext/fiddle/handle.c, added tests to test/fiddle/test_handle.rb.
    - CVE-2015-7551
  * SECURITY UPDATE: SMTP command injection
    - debian/patches/CVE-2015-9096.patch: don't allow bare CR or LF in
      lib/net/smtp.rb, added test to test/net/smtp/test_smtp.rb.
    - CVE-2015-9096
  * SECURITY UPDATE: type confusion in tcltkip
    - debian/patches/CVE-2016-2337.patch: check argument in
      ext/tk/tcltklib.c.
    - CVE-2016-2337
  * SECURITY UPDATE: heap overflow in Fiddle::Function.new
    - debian/patches/CVE-2016-2339.patch: check arguments in
      ext/fiddle/function.c.
    - CVE-2016-2339
  * SECURITY UPDATE: use of same initialization vector (IV)
    - debian/patches/CVE-2016-7798.patch: don't set dummy key in
      ext/openssl/ossl_cipher.c, added test to test/openssl/test_cipher.rb.
    - CVE-2016-7798
  * debian/rules: add note on enabling the full test suite
  * debian/patches/fix_tests.patch: fix some broken tests.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 20 Jun 2017 07:58:57 -0400

ruby2.0 (2.0.0.484-1ubuntu2.2) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via XML expansion
    - debian/patches/CVE-2014-8090.patch: add REXML::Document#document
      to rexml/document.rb, add warning to rexml/entity.rb, added tests to
      test/rexml/test_document.rb.
    - CVE-2014-8090

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 19 Nov 2014 08:53:33 -0500

ruby2.0 (2.0.0.484-1ubuntu2.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overrun in encodes
    function
    - debian/patches/CVE-2014x-4975.patch: properly calculate buffer size
      in pack.c, added test to test/ruby/test_pack.rb.
    - CVE-2014-4975
  * SECURITY UPDATE: denial of service via XML expansion
    - debian/patches/CVE-2014-8080.patch: limit expansions in
      lib/rexml/entity.rb, added tests to test/rexml/test_document.rb,
      test/rexml/test_entity.rb.
    - CVE-2014-8080

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 03 Nov 2014 09:57:14 -0500

ruby2.0 (2.0.0.484-1ubuntu2) trusty; urgency=medium

  * Fix build failure with readline-6.3.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 19 Mar 2014 14:30:49 +0100

ruby2.0 (2.0.0.484-1ubuntu1) trusty; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Build-depend on Tcl/Tk 8.5, ruby is not yet ready for Tcl/Tk 8.6.

 -- Adam Conrad <adconrad@ubuntu.com>  Fri, 14 Feb 2014 21:52:00 -0700

ruby2.0 (2.0.0.484-1) unstable; urgency=medium

  [ Antonio Terceiro ]
  * New upstream snapshot.

  [ Christian Hofstaedtler ]
  * Use any valid Ruby interpreter to bootstrap
  * Bump Standards-Version to 3.9.5 (no changes)
  * Add myself to Uploaders:
  * Add Dependencies to facilitate upgrades from 1.8
    * libruby2.0 now depends on ruby2.0
    * ruby2.0 now depends on ruby
  * Stop installing alternatives/symlinks for binaries:
    * /usr/bin/{ruby,erb,testrb,irb,rdoc,ri}

 -- Antonio Terceiro <terceiro@debian.org>  Sun, 02 Feb 2014 08:22:10 -0300

ruby2.0 (2.0.0.353-1ubuntu1) trusty; urgency=medium

  * Build-depend on tcl8.5-dev and tk8.5-dev, ruby is not yet ready
    for Tcl/Tk 8.6.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 04 Jan 2014 17:08:15 +0100

ruby2.0 (2.0.0.353-1build1) trusty; urgency=medium

  * No-change rebuild for Tcl/Tk 8.6.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 02 Jan 2014 20:21:25 +0100

ruby2.0 (2.0.0.353-1) unstable; urgency=low

  * New upstream release
    + Includes fix for Heap Overflow in Floating Point Parsing (CVE-2013-4164)
      Closes: #730190

 -- Antonio Terceiro <terceiro@debian.org>  Mon, 25 Nov 2013 22:34:25 -0300

ruby2.0 (2.0.0.343-1) unstable; urgency=low

  * New upstream version (snapshot from 2.0 maintainance branch).
  * fix typo in ruby2.0-tcltk description
  * Backported upstream patches from Tanaka Akira to fix FTBFS on:
    - GNU/kFreeBSD (Closes: #726095)
    - x32 (Closes: #727010)
  * Make date for io-console gemspec predictable (Closes: #724974)
  * libruby2.0 now depends on libjs-jquery because of rdoc (Closes: #725056)
  * Backport upstream patch by Nobuyoshi Nakada to fix include directory in
    `pkg-config --cflags` (Closes: #725166)
  * Document missing licenses in debian/copyright (Closes: #723161)
  * debian/libruby2.0.symbols: add new symbol rb_exec_recursive_paired_outer
    (not in the public API though)

 -- Antonio Terceiro <terceiro@debian.org>  Tue, 05 Nov 2013 20:33:23 -0300

ruby2.0 (2.0.0.299-2) unstable; urgency=low

  * Split Ruby/Tk out of libruby2.0 into its own package, ruby2.0-tcltk. This
    will reduce the footprint of a basic Ruby installation.

 -- Antonio Terceiro <terceiro@debian.org>  Sun, 15 Sep 2013 22:09:57 -0300

ruby2.0 (2.0.0.299-1) unstable; urgency=low

  * New upstream release
    + Includes a fix for override of existing LDFLAGS when building compiled
      extensions that use pkg-config (Closes: #721799).
  * debian/rules: forward-port to tcl/tk packages with multi-arch support.
    Thanks to Tristan Hill for reporting on build for Ubuntu saucy
  * debian/control: ruby2.0 now provides ruby-interpreter
  * Now using tarballs generated from the git mirror.
    + The released tarballs will modify shipped files on clean. Without this
      we can stop messing around with files that need to be recovered after a
      `debian/rules clean` to make them match the orig tarball and avoid
      spurious diffs.
    + This also lets us drop the diffs against generated files such as
      tool/config.* and configure.
    + documented in debian/README.source
  * debian/libruby2.0.symbols: refreshed with 2 new symbols added since last
    version.

 -- Antonio Terceiro <terceiro@debian.org>  Sun, 08 Sep 2013 12:38:34 -0300

ruby2.0 (2.0.0.247-1) unstable; urgency=low

  * Initial release (Closes: #697703)

 -- Antonio Terceiro <terceiro@debian.org>  Mon, 07 Jan 2013 14:48:51 -0300

