ruby2.1 (2.1.5-2+deb8u13) jessie-security; urgency=high

  * Add length limit option for methods that parses
    date strings. (Fixes: CVE-2021-41817)
  * When parsing cookies, only decode the values.
    (Fixes: CVE-2021-41819)

 -- Utkarsh Gupta <utkarsh@debian.org>  Mon, 06 Dec 2021 06:01:41 +0530

ruby2.1 (2.1.5-2+deb8u12) jessie-security; urgency=high

  * Add patch to use File.open to fix the OS Command
    Injection vulnerability. (Fixes: CVE-2021-31799)
  * Add patch to fix StartTLS stripping vulnerability.
    (Fixes: CVE-2021-32066)
  * Add patch to ignore IP addresses in PASV responses
    by default. (Fixes: CVE-2021-31810)

 -- Utkarsh Gupta <utkarsh@debian.org>  Sun, 10 Oct 2021 18:13:06 +0530

ruby2.1 (2.1.5-2+deb8u11) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Add patch to fix a potential HTTP request smuggling
    vulnerability in WEBrick. (Fixes: CVE-2020-25613)

 -- Utkarsh Gupta <utkarsh@debian.org>  Thu, 01 Oct 2020 18:13:06 +0530

ruby2.1 (2.1.5-2+deb8u10) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Add patch to fix unsafe object creation vulnerability in JSON.
    (Fixes: CVE-2020-10663)

 -- Utkarsh Gupta <utkarsh@debian.org>  Wed, 29 Apr 2020 02:13:45 +0530

ruby2.1 (2.1.5-2+deb8u9) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Security Team.
  * Fix CVE-2016-2338: heap overflow vulnerability

 -- Abhijith PA <abhijith@debian.org>  Tue, 24 Mar 2020 17:09:41 +0100

ruby2.1 (2.1.5-2+deb8u8) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Team. 
  * CVE-2019-15845
    path matching might pass in File.fnmatch and File.fnmatch? due
    to a NUL character injection
  * CVE-2019-16201
    A loop caused by a wrong regular expression could lead to a denial
    of service of a WEBrick service.
  * CVE-2019-16254
    This is the same issue as CVE-2017-17742, whose fix was not complete.
  * CVE-2019-16255
    Giving untrusted data to the first argument of Shell#[] and Shell#test
    might lead to a code injection vulnerability.

 -- Thorsten Alteholz <debian@alteholz.de>  Mon, 25 Nov 2019 19:03:02 +0100

ruby2.1 (2.1.5-2+deb8u7) jessie-security; urgency=medium

  * Non-maintainer upload by the Debian LTS Team.
  * Fix CVE-2019-8320, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324,
    CVE-2019-8325

 -- Abhijith PA <abhijith@debian.org>  Fri, 29 Mar 2019 11:56:38 +0530

ruby2.1 (2.1.5-2+deb8u6) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Team. 
  * CVE-2018-16395
    Fix for OpenSSL::X509::Name equality check.
  * CVE-2018-16396
    Tainted flags are not propagated in Array#pack and String#unpack 
    with some directives.

 -- Thorsten Alteholz <debian@alteholz.de>  Fri, 26 Oct 2018 19:03:02 +0200

ruby2.1 (2.1.5-2+deb8u5) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Security Team.
  * CVE-2018-1000074.patch: fix Deserialization of Untrusted Data
    vulnerability in owner command that can result in code execution
    through specially crafted YAML files. (Closes: #895778)
  * CVE-2018-1000073.patch: fix directory traversal vulnerability
  * CVE-2016-2337.patch: fix arbitrary code execution in Tcl/Tk API

 -- Antoine Beaupré <anarcat@debian.org>  Mon, 27 Aug 2018 15:08:54 -0400

ruby2.1 (2.1.5-2+deb8u4) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Team.
  * Fix multiple security issues:
  * CVE-2015-9096: SMTP command injection via CRLF sequences
  * CVE-2016-2339: Exploitable heap overflow in Fiddle::Function.new
    (Closes: #851161)
  * CVE-2016-7798: Fix IV Reuse in GCM Mode.
    Patch by Kazuki Yamaguchi <k@rhe.jp>
  * CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
  * CVE-2017-10784: lib/webrick/log.rb: sanitize any type of logs
  * CVE-2017-14033: asn1: fix out-of-bounds read in decoding
    constructed objects
  * CVE-2017-14064: Heap exposure vulnerability in generating JSON
  * CVE-2017-0903: Whitelist classes and symbols that are in Gem spec
    YAML
  * Fix multiple vulnerabilities in rubygems:
    - a DNS request hijacking vulnerability. (CVE-2017-0902)
    - an ANSI escape sequence vulnerability. (CVE-2017-0899)
    - a DoS vulnerability in the query command. (CVE-2017-0900)
    - a vulnerability in the gem installer that allowed a malicious gem to
      overwrite arbitrary files. (CVE-2017-0901)
  * CVE-2017-17405: Command injection in Net::FTP
  * CVE-2017-17790: Command injection in Hosts:new() by use of
    Kernel#open
  * CVE-2018-1000075: Strictly interpret octal fields in tar headers to
    avoid infinite loop
  * CVE-2018-1000076: Raise a security error when there are duplicate
    files in a package
  * CVE-2018-1000077: Enforce URL validation on spec homepage attribute.
  * CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute
    when displayed via gem server.
  * CVE-2018-1000079: Directory Traversal vulnerability in gem
    installation that can result in the gem could write to arbitrary
    filesystem locations.
  * CVE-2018-8778: Buffer under-read in String#unpack
  * CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte
    in Dir
  * CVE-2018-6914: Unintentional file and directory creation with
    directory traversal in tempfile and tmpdir
  * CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
    UNIXServer and UNIXSocket
  * CVE-2018-8777: DoS by large request in WEBrick
  * CVE-2017-17742: HTTP response splitting in WEBrick

 -- Santiago Ruano Rincón <santiagorr@riseup.net>  Fri, 13 Jul 2018 15:55:10 +0200

ruby2.1 (2.1.5-2+deb8u3) jessie; urgency=low

  * Non-maintainer upload to fix security problem.
  * Fix CVE-2009-5147: DL::dlopen should not open a library with
    tainted library name in safe mode (Closes: #796344).  Based on
    patch used in DLA-299-1, which was pulled from upstream.
  * Fix CVE-2015-7551: Fiddle handles should not call functions with
    tainted function names (Closes: #796344).  Patch pulled from
    upstream.

 -- Petter Reinholdtsen <pere@debian.org>  Tue, 07 Jun 2016 11:00:04 +0200

ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high

  * Apply upstream patches to fix Request hijacking vulnerability in Rubygems
    [CVE-2015-3900] (Closes: #790119)

 -- Antonio Terceiro <terceiro@debian.org>  Wed, 29 Jul 2015 09:27:24 -0300

ruby2.1 (2.1.5-2+deb8u1) jessie-security; urgency=high

  * Fix vulnerabiity with overly permissive matching of hostnames in OpenSSL
    extension [CVE-2015-1855]
    - applied revision 50296 of upstream svn repository.

 -- Antonio Terceiro <terceiro@debian.org>  Fri, 17 Apr 2015 09:26:57 -0300

ruby2.1 (2.1.5-2) unstable; urgency=medium

  * Fix Segmentation fault after pack & ioctl & unpack (Closes: #781504)
    - apply r44804 from upstream svn
  * debian/upstream-changes: simpler and more accurate implementation

 -- Antonio Terceiro <terceiro@debian.org>  Tue, 31 Mar 2015 21:50:39 -0300

ruby2.1 (2.1.5-1) unstable; urgency=medium

  * New upstream release
    - Fixes CVE-2014-8090 Another Denial of Service XML Expansion
      (Closes: #770932)
    - Fixes build on SPARC (Closes: #769731)

 -- Antonio Terceiro <terceiro@debian.org>  Sat, 29 Nov 2014 12:30:39 -0200

ruby2.1 (2.1.4-1) unstable; urgency=high

  * New upstream version
    - CVE-2014-8080: Denial of Service in XML Expansion
    - Changes default settings in OpenSSL bindings to not use deprecated and
      insecure ciphers; avoids issues associated to CVE-2014-3566 (i.e. the
      "POODLE" bug in OpenSSL)

 -- Antonio Terceiro <terceiro@debian.org>  Wed, 29 Oct 2014 12:07:22 -0200

ruby2.1 (2.1.3-2) unstable; urgency=medium

  [ Sebastian Boehm ]
  * Install SystemTap tap file (Closes: #765862)

 -- Christian Hofstaedtler <zeha@debian.org>  Sun, 19 Oct 2014 20:07:50 +0200

ruby2.1 (2.1.3-1) unstable; urgency=medium

  * New upstream version

 -- Christian Hofstaedtler <zeha@debian.org>  Sat, 20 Sep 2014 16:55:47 +0200

ruby2.1 (2.1.2-4) unstable; urgency=medium

  [ Antonio Terceiro ]
  * Move libjs-jquery dependency from libruby2.1 to ruby2.1, and turn it into
    Recommends:. This way programs that link against libruby2.1 won't pull in
    libjs-jquery; OTOH those using rdoc (and thus needing libjs-jquery) would
    be already using ruby2.1 anyway.

  [ Christian Hofstaedtler ]
  * Update Vcs-Git URL, as we've moved from master2.1 to master.
  * Prepare libruby21.symbols for x32 (Closes: #759615)
  * Remove embedded copies of SSL certificates. Rubygems is advised by
    rubygems-integration to use the ca-certificates provided certificates.
    (Closes: #689074)

 -- Christian Hofstaedtler <zeha@debian.org>  Fri, 05 Sep 2014 03:06:30 +0200

ruby2.1 (2.1.2-3) unstable; urgency=medium

  [ Antonio Terceiro ]
  * debian/rules: call debian/split-tk-out.rb with $(baseruby) instead of
    `ruby` to actually support bootstrapping with ruby1.8 (and no `ruby`)
  * Break dependency loop (Closes: #747858)
    - ruby2.1: drop dependency on ruby
    - libruby2.1: drop dependency on ruby2.1

  [ Christian Hofstaedtler ]
  * Add missing man pages for gem, rdoc, testrb (Closes: #756053, #756815)
  * Correct ruby2.1's Multi-Arch flag to 'allowed' (Closes: #745360)

 -- Antonio Terceiro <terceiro@debian.org>  Thu, 14 Aug 2014 10:45:29 -0300

ruby2.1 (2.1.2-2) unstable; urgency=medium

  * Support bootstrapping with Ruby 1.8 (which builds with gcc only) if another
    Ruby is not available.

 -- Antonio Terceiro <terceiro@debian.org>  Thu, 15 May 2014 23:20:49 -0300

ruby2.1 (2.1.2-1) unstable; urgency=medium

  [ Christian Hofstaedtler ]
  * New upstream version
  * Update watch file

  [ Sebastian Boehm ]
  * Build with basic systemtap support. (Closes: #747232)

  [ Antonio Terceiro ]
  * 2.1 is now the main development branch

 -- Christian Hofstaedtler <zeha@debian.org>  Sat, 10 May 2014 15:51:13 +0200

ruby2.1 (2.1.1-4) unstable; urgency=medium

  * Use Debian copy of config.{guess,sub}
    Instead of downloading it from the Internet, which could be down or
    insecure. Thanks to Scott Kitterman for the report AND patch.
    (Closes: 745699)
  * Move jquery source file to d/missing-sources

 -- Christian Hofstaedtler <zeha@debian.org>  Fri, 25 Apr 2014 00:57:13 +0200

ruby2.1 (2.1.1-3) unstable; urgency=medium

  [ Antonio Terceiro ]
  * Disable rubygems-integration during the build. This fixes the install
    location of the gemspecs for the bundled libraries. (Closes: #745465)

 -- Christian Hofstaedtler <zeha@debian.org>  Tue, 22 Apr 2014 18:38:01 +0200

ruby2.1 (2.1.1-2) unstable; urgency=medium

  * Tie Tcl/Tk dependency to version 8.5, applying patch from Ubuntu.
    Thanks to Matthias Klose <doko@debian.org>

 -- Christian Hofstaedtler <zeha@debian.org>  Mon, 10 Mar 2014 13:38:41 +0100

ruby2.1 (2.1.1-1) unstable; urgency=medium

  * Imported Upstream version 2.1.1
  * Update lintian overrides

 -- Christian Hofstaedtler <zeha@debian.org>  Wed, 05 Mar 2014 18:22:58 +0100

ruby2.1 (2.1.0-2) unstable; urgency=medium

  * ruby2.1-dev: Depend on libgmp-dev.
    Thanks to John Leach <john@johnleach.co.uk>
  * Fix FTBFS with libreadline 6.x, by applying upstream r45225.

 -- Christian Hofstaedtler <zeha@debian.org>  Mon, 03 Mar 2014 21:10:32 +0100

ruby2.1 (2.1.0-1) unstable; urgency=medium

  * Upload to unstable.

 -- Christian Hofstaedtler <zeha@debian.org>  Sat, 22 Feb 2014 23:44:44 +0100

ruby2.1 (2.1.0-1~exp2) experimental; urgency=medium

  [ Antonio Terceiro ]
  * ruby2.1-dev: add missing dependency on libruby2.1

  [ Christian Hofstaedtler ]
  * Again depend on ruby without alternatives management
  * Tag 64bit-only symbols as such

 -- Christian Hofstaedtler <zeha@debian.org>  Thu, 13 Feb 2014 13:02:25 +0100

ruby2.1 (2.1.0-1~exp1) experimental; urgency=medium

  * New release train, branch off and rename everything to ruby2.1
    (Closes: #736664)
  * Build with GMP library for faster Bignum operations.
  * Target experimental as long as ruby 1:1.9.3.1 has not entered
    unstable, dropping the versioned dependency for now.

 -- Christian Hofstaedtler <zeha@debian.org>  Thu, 23 Jan 2014 19:25:19 +0100

ruby2.0 (2.0.0.484-1) UNRELEASED; urgency=medium

  [ Antonio Terceiro ]
  * New upstream snapshot.
  * Add patch by Yamashita Yuu to fix build against newer OpenSSL
    (Closes: #733372)

  [ Christian Hofstaedtler ]
  * Use any valid Ruby interpreter to bootstrap
  * Bump Standards-Version to 3.9.5 (no changes)
  * Add myself to Uploaders:
  * Add Dependencies to facilitate upgrades from 1.8
    * libruby2.0 now depends on ruby2.0
    * ruby2.0 now depends on ruby
  * Stop installing alternatives/symlinks for binaries:
    * /usr/bin/{ruby,erb,testrb,irb,rdoc,ri}

 -- Christian Hofstaedtler <zeha@debian.org>  Fri, 17 Jan 2014 16:35:57 +0100

ruby2.0 (2.0.0.353-1) unstable; urgency=low

  * New upstream release
    + Includes fix for Heap Overflow in Floating Point Parsing (CVE-2013-4164)
      Closes: #730190

 -- Antonio Terceiro <terceiro@debian.org>  Mon, 25 Nov 2013 22:34:25 -0300

ruby2.0 (2.0.0.343-1) unstable; urgency=low

  * New upstream version (snapshot from 2.0 maintainance branch).
  * fix typo in ruby2.0-tcltk description
  * Backported upstream patches from Tanaka Akira to fix FTBFS on:
    - GNU/kFreeBSD (Closes: #726095)
    - x32 (Closes: #727010)
  * Make date for io-console gemspec predictable (Closes: #724974)
  * libruby2.0 now depends on libjs-jquery because of rdoc (Closes: #725056)
  * Backport upstream patch by Nobuyoshi Nakada to fix include directory in
    `pkg-config --cflags` (Closes: #725166)
  * Document missing licenses in debian/copyright (Closes: #723161)
  * debian/libruby2.0.symbols: add new symbol rb_exec_recursive_paired_outer
    (not in the public API though)

 -- Antonio Terceiro <terceiro@debian.org>  Tue, 05 Nov 2013 20:33:23 -0300

ruby2.0 (2.0.0.299-2) unstable; urgency=low

  * Split Ruby/Tk out of libruby2.0 into its own package, ruby2.0-tcltk. This
    will reduce the footprint of a basic Ruby installation.

 -- Antonio Terceiro <terceiro@debian.org>  Sun, 15 Sep 2013 22:09:57 -0300

ruby2.0 (2.0.0.299-1) unstable; urgency=low

  * New upstream release
    + Includes a fix for override of existing LDFLAGS when building compiled
      extensions that use pkg-config (Closes: #721799).
  * debian/rules: forward-port to tcl/tk packages with multi-arch support.
    Thanks to Tristan Hill for reporting on build for Ubuntu saucy
  * debian/control: ruby2.0 now provides ruby-interpreter
  * Now using tarballs generated from the git mirror.
    + The released tarballs will modify shipped files on clean. Without this
      we can stop messing around with files that need to be recovered after a
      `debian/rules clean` to make them match the orig tarball and avoid
      spurious diffs.
    + This also lets us drop the diffs against generated files such as
      tool/config.* and configure.
    + documented in debian/README.source
  * debian/libruby2.0.symbols: refreshed with 2 new symbols added since last
    version.

 -- Antonio Terceiro <terceiro@debian.org>  Sun, 08 Sep 2013 12:38:34 -0300

ruby2.0 (2.0.0.247-1) unstable; urgency=low

  * Initial release (Closes: #697703)

 -- Antonio Terceiro <terceiro@debian.org>  Mon, 07 Jan 2013 14:48:51 -0300
