ruby2.1 (2.1.5-2+deb8u16) jessie-security; urgency=medium

  * Non-maintainer upload by the ELTS Security Team.
  * Fix CVE-2025-27219:
    The CGI::Cookie.parse method in the CGI library contains a
    potential Denial of Service (DoS) vulnerability.
    The method does not impose any limit on the length of the raw
    cookie value it processes. This oversight can lead to excessive
    resource consumption when parsing extremely large cookies.
  * Fix CVE-2025-27220:
    In the CGI gem, a Regular Expression Denial of Service (ReDoS)
    vulnerability exists in the Util#escapeElement method.
  * Fix CVE-2025-27221:
    In the URI gem for Ruby, the URI handling methods
    (URI.join, URI#merge, URI#+) have an inadvertent leakage of
    authentication credentials because userinfo is retained even
    after changing the host.

 -- Bastien Roucariès <rouca@debian.org>  Wed, 12 Mar 2025 23:37:00 +0000

ruby2.1 (2.1.5-2+deb8u15) jessie-security; urgency=medium

  * Non-maintainer upload by the ELTS Security Team.
  * Upgrade rexml gems from 3.1.7.3 to 3.2.3.1
  * Fix CVE-2024-35176: REXML is an XML toolkit for Ruby.
    The REXML gem has a Denial of Service (DoS) vulnerability
    when it parses an XML that has many `<`s in
    an attribute value. Those who need to parse
    untrusted XMLs may be impacted to this vulnerability
  * Fix CVE-2024-39908: REXML is an XML toolkit for Ruby.
    The REXML gem has some Denial of Service (DoS) vulnerabilities
    when it parses an XML that has many specific characters such
    as `<`, `0` and `%>`. If you need to parse untrusted XMLs,
    you many be impacted to these vulnerabilities.
  * Fix CVE-2024-41123: REXML is an XML toolkit for Ruby.
    The REXML gem has some DoS vulnerabilities
    when it parses an XML that has many specific characters
    such as whitespace character, `>]` and `]>`.
  * Fix CVE-2024-41946: REXML is an XML toolkit for Ruby.
    The REXML gem had a Denial of Service (DoS) vulnerability
    when it parses an XML that has many entity expansions
    with SAX2 or pull parser API.
  * Fix CVE-2024-43398: REXML is an XML toolkit for Ruby.
    The REXML gem before 3.3.6 has a Denial of Service (DoS)
    vulnerability when it parses an XML that has many deep
    elements that have same local name attributes.
    If you need to parse untrusted XMLs with tree parser
    API like REXML::Document.new, you may be impacted
    to this vulnerability. If you use other parser APIs
    such as stream parser API and SAX2 parser API,
    you are not impacted.
  * Fix CVE-2024-49761: REXML is an XML toolkit for Ruby.
    The REXML gem before 3.3.9 has a ReDoS vulnerability
    when it parses an XML that has many digits between
    &# and x...; in a hex numeric character reference (&#x...;).

 -- Bastien Roucariès <rouca@debian.org>  Tue, 25 Feb 2025 21:12:20 +0000

ruby2.1 (2.1.5-2+deb8u14) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS Security Team.
  * Fix testsuite
    * Update test certificates.
    * Update tests for new tzdata.
    * Update tests for Git CVE 2022-39253.
    * Backport assert_linear_performance.
    * Fix openssl tests for jessie's openssl.
    * Rework CVE 2017-17405 patch to drop extra failing copy/pasted test cases.
    * Fix CVE 2021-32066 test.
    * Fix CVE 2015-9096 test.
    * Fix WEBrick tests introduced in previous CVE fixes.
    * Fix Gem::Installer tests introduced in previous CVE fixes.
    * Skip test for CVE 2019-8320 (ruby2.1 actually not affected).
    * Improve skip detection for Rinda when network is not available.
    * Fix flaky tests in io_console.
    * Fix stackoverflow test on arm.
    * Fix sprintf#test_float on i386.
    * Fix testsuite in minimal environment such as Salsa-CI
      (install netbase).
    * Run full testsuite during build.
    * Exclude 6 tests with untrackable failure reason.
    * Exclude 4 tests requiring network access.
    * Exclude 1 test failing in sbuild environment.
  * CVE-2016-2338: full fix (heap overflow in Psych::Emitter).
  * Fix crash (missing symbol) from CVE 2021-41817 incorrect fix
    (Date.parse ReDoS).
  * CVE-2021-28965: the REXML gem does not properly address XML round-trip
    issues. An incorrect document can be produced after parsing and
    serializing. (Closes: #986807)
  * CVE-2021-33621: the cgi gem allows HTTP response splitting. This is
    relevant to applications that use untrusted user input either to
    generate an HTTP response or to create a CGI::Cookie object.
    (Closes: #1024799)
  * CVE-2022-28739: buffer over-read occurs in String-to-Float conversion,
    including Kernel#Float and String#to_f. (Closes: #1009957)
  * CVE-2023-28756: a ReDoS issue was discovered in the Time
    component. The Time parser mishandles invalid URLs that have specific
    characters. It causes an increase in execution time for parsing
    strings to Time objects. (Closes: #1038408)
  * CVE-2024-27281: when parsing .rdoc_options (used for configuration in
    RDoc) as a YAML file, object injection and resultant remote code
    execution are possible because there are no restrictions on the
    classes that can be restored. (When loading the documentation cache,
    object injection and resultant remote code execution are also possible
    if there were a crafted cache.) (Closes: #1067802)
  * CVE-2024-27282: if attacker-supplied data is provided to the Ruby
    regex compiler, it is possible to extract arbitrary heap data relative
    to the start of the text, including pointers and sensitive strings.
    (Closes: #1069968)
  * Fix lintian error.

 -- Sylvain Beucler <beuc@debian.org>  Sat, 10 Aug 2024 19:35:38 +0200

ruby2.1 (2.1.5-2+deb8u13) jessie-security; urgency=high

  * Add length limit option for methods that parses
    date strings. (Fixes: CVE-2021-41817)
  * When parsing cookies, only decode the values.
    (Fixes: CVE-2021-41819)

 -- Utkarsh Gupta <utkarsh@debian.org>  Mon, 06 Dec 2021 06:01:41 +0530

ruby2.1 (2.1.5-2+deb8u12) jessie-security; urgency=high

  * Add patch to use File.open to fix the OS Command
    Injection vulnerability. (Fixes: CVE-2021-31799)
  * Add patch to fix StartTLS stripping vulnerability.
    (Fixes: CVE-2021-32066)
  * Add patch to ignore IP addresses in PASV responses
    by default. (Fixes: CVE-2021-31810)

 -- Utkarsh Gupta <utkarsh@debian.org>  Sun, 10 Oct 2021 18:13:06 +0530

ruby2.1 (2.1.5-2+deb8u11) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Add patch to fix a potential HTTP request smuggling
    vulnerability in WEBrick. (Fixes: CVE-2020-25613)

 -- Utkarsh Gupta <utkarsh@debian.org>  Thu, 01 Oct 2020 18:13:06 +0530

ruby2.1 (2.1.5-2+deb8u10) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Add patch to fix unsafe object creation vulnerability in JSON.
    (Fixes: CVE-2020-10663)

 -- Utkarsh Gupta <utkarsh@debian.org>  Wed, 29 Apr 2020 02:13:45 +0530

ruby2.1 (2.1.5-2+deb8u9) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Security Team.
  * Fix CVE-2016-2338: heap overflow vulnerability

 -- Abhijith PA <abhijith@debian.org>  Tue, 24 Mar 2020 17:09:41 +0100

ruby2.1 (2.1.5-2+deb8u8) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Team. 
  * CVE-2019-15845
    path matching might pass in File.fnmatch and File.fnmatch? due
    to a NUL character injection
  * CVE-2019-16201
    A loop caused by a wrong regular expression could lead to a denial
    of service of a WEBrick service.
  * CVE-2019-16254
    This is the same issue as CVE-2017-17742, whose fix was not complete.
  * CVE-2019-16255
    Giving untrusted data to the first argument of Shell#[] and Shell#test
    might lead to a code injection vulnerability.

 -- Thorsten Alteholz <debian@alteholz.de>  Mon, 25 Nov 2019 19:03:02 +0100

ruby2.1 (2.1.5-2+deb8u7) jessie-security; urgency=medium

  * Non-maintainer upload by the Debian LTS Team.
  * Fix CVE-2019-8320, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324,
    CVE-2019-8325

 -- Abhijith PA <abhijith@debian.org>  Fri, 29 Mar 2019 11:56:38 +0530

ruby2.1 (2.1.5-2+deb8u6) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Team. 
  * CVE-2018-16395
    Fix for OpenSSL::X509::Name equality check.
  * CVE-2018-16396
    Tainted flags are not propagated in Array#pack and String#unpack 
    with some directives.

 -- Thorsten Alteholz <debian@alteholz.de>  Fri, 26 Oct 2018 19:03:02 +0200

ruby2.1 (2.1.5-2+deb8u5) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Security Team.
  * CVE-2018-1000074.patch: fix Deserialization of Untrusted Data
    vulnerability in owner command that can result in code execution
    through specially crafted YAML files. (Closes: #895778)
  * CVE-2018-1000073.patch: fix directory traversal vulnerability
  * CVE-2016-2337.patch: fix arbitrary code execution in Tcl/Tk API

 -- Antoine Beaupré <anarcat@debian.org>  Mon, 27 Aug 2018 15:08:54 -0400

ruby2.1 (2.1.5-2+deb8u4) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Team.
  * Fix multiple security issues:
  * CVE-2015-9096: SMTP command injection via CRLF sequences
  * CVE-2016-2339: Exploitable heap overflow in Fiddle::Function.new
    (Closes: #851161)
  * CVE-2016-7798: Fix IV Reuse in GCM Mode.
    Patch by Kazuki Yamaguchi <k@rhe.jp>
  * CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
  * CVE-2017-10784: lib/webrick/log.rb: sanitize any type of logs
  * CVE-2017-14033: asn1: fix out-of-bounds read in decoding
    constructed objects
  * CVE-2017-14064: Heap exposure vulnerability in generating JSON
  * CVE-2017-0903: Whitelist classes and symbols that are in Gem spec
    YAML
  * Fix multiple vulnerabilities in rubygems:
    - a DNS request hijacking vulnerability. (CVE-2017-0902)
    - an ANSI escape sequence vulnerability. (CVE-2017-0899)
    - a DoS vulnerability in the query command. (CVE-2017-0900)
    - a vulnerability in the gem installer that allowed a malicious gem to
      overwrite arbitrary files. (CVE-2017-0901)
  * CVE-2017-17405: Command injection in Net::FTP
  * CVE-2017-17790: Command injection in Hosts:new() by use of
    Kernel#open
  * CVE-2018-1000075: Strictly interpret octal fields in tar headers to
    avoid infinite loop
  * CVE-2018-1000076: Raise a security error when there are duplicate
    files in a package
  * CVE-2018-1000077: Enforce URL validation on spec homepage attribute.
  * CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute
    when displayed via gem server.
  * CVE-2018-1000079: Directory Traversal vulnerability in gem
    installation that can result in the gem could write to arbitrary
    filesystem locations.
  * CVE-2018-8778: Buffer under-read in String#unpack
  * CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte
    in Dir
  * CVE-2018-6914: Unintentional file and directory creation with
    directory traversal in tempfile and tmpdir
  * CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
    UNIXServer and UNIXSocket
  * CVE-2018-8777: DoS by large request in WEBrick
  * CVE-2017-17742: HTTP response splitting in WEBrick

 -- Santiago Ruano Rincón <santiagorr@riseup.net>  Fri, 13 Jul 2018 15:55:10 +0200

ruby2.1 (2.1.5-2+deb8u3) jessie; urgency=low

  * Non-maintainer upload to fix security problem.
  * Fix CVE-2009-5147: DL::dlopen should not open a library with
    tainted library name in safe mode (Closes: #796344).  Based on
    patch used in DLA-299-1, which was pulled from upstream.
  * Fix CVE-2015-7551: Fiddle handles should not call functions with
    tainted function names (Closes: #796344).  Patch pulled from
    upstream.

 -- Petter Reinholdtsen <pere@debian.org>  Tue, 07 Jun 2016 11:00:04 +0200

ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high

  * Apply upstream patches to fix Request hijacking vulnerability in Rubygems
    [CVE-2015-3900] (Closes: #790119)

 -- Antonio Terceiro <terceiro@debian.org>  Wed, 29 Jul 2015 09:27:24 -0300

ruby2.1 (2.1.5-2+deb8u1) jessie-security; urgency=high

  * Fix vulnerabiity with overly permissive matching of hostnames in OpenSSL
    extension [CVE-2015-1855]
    - applied revision 50296 of upstream svn repository.

 -- Antonio Terceiro <terceiro@debian.org>  Fri, 17 Apr 2015 09:26:57 -0300

ruby2.1 (2.1.5-2) unstable; urgency=medium

  * Fix Segmentation fault after pack & ioctl & unpack (Closes: #781504)
    - apply r44804 from upstream svn
  * debian/upstream-changes: simpler and more accurate implementation

 -- Antonio Terceiro <terceiro@debian.org>  Tue, 31 Mar 2015 21:50:39 -0300

ruby2.1 (2.1.5-1) unstable; urgency=medium

  * New upstream release
    - Fixes CVE-2014-8090 Another Denial of Service XML Expansion
      (Closes: #770932)
    - Fixes build on SPARC (Closes: #769731)

 -- Antonio Terceiro <terceiro@debian.org>  Sat, 29 Nov 2014 12:30:39 -0200

ruby2.1 (2.1.4-1) unstable; urgency=high

  * New upstream version
    - CVE-2014-8080: Denial of Service in XML Expansion
    - Changes default settings in OpenSSL bindings to not use deprecated and
      insecure ciphers; avoids issues associated to CVE-2014-3566 (i.e. the
      "POODLE" bug in OpenSSL)

 -- Antonio Terceiro <terceiro@debian.org>  Wed, 29 Oct 2014 12:07:22 -0200

ruby2.1 (2.1.3-2) unstable; urgency=medium

  [ Sebastian Boehm ]
  * Install SystemTap tap file (Closes: #765862)

 -- Christian Hofstaedtler <zeha@debian.org>  Sun, 19 Oct 2014 20:07:50 +0200

ruby2.1 (2.1.3-1) unstable; urgency=medium

  * New upstream version

 -- Christian Hofstaedtler <zeha@debian.org>  Sat, 20 Sep 2014 16:55:47 +0200

ruby2.1 (2.1.2-4) unstable; urgency=medium

  [ Antonio Terceiro ]
  * Move libjs-jquery dependency from libruby2.1 to ruby2.1, and turn it into
    Recommends:. This way programs that link against libruby2.1 won't pull in
    libjs-jquery; OTOH those using rdoc (and thus needing libjs-jquery) would
    be already using ruby2.1 anyway.

  [ Christian Hofstaedtler ]
  * Update Vcs-Git URL, as we've moved from master2.1 to master.
  * Prepare libruby21.symbols for x32 (Closes: #759615)
  * Remove embedded copies of SSL certificates. Rubygems is advised by
    rubygems-integration to use the ca-certificates provided certificates.
    (Closes: #689074)

 -- Christian Hofstaedtler <zeha@debian.org>  Fri, 05 Sep 2014 03:06:30 +0200

ruby2.1 (2.1.2-3) unstable; urgency=medium

  [ Antonio Terceiro ]
  * debian/rules: call debian/split-tk-out.rb with $(baseruby) instead of
    `ruby` to actually support bootstrapping with ruby1.8 (and no `ruby`)
  * Break dependency loop (Closes: #747858)
    - ruby2.1: drop dependency on ruby
    - libruby2.1: drop dependency on ruby2.1

  [ Christian Hofstaedtler ]
  * Add missing man pages for gem, rdoc, testrb (Closes: #756053, #756815)
  * Correct ruby2.1's Multi-Arch flag to 'allowed' (Closes: #745360)

 -- Antonio Terceiro <terceiro@debian.org>  Thu, 14 Aug 2014 10:45:29 -0300

ruby2.1 (2.1.2-2) unstable; urgency=medium

  * Support bootstrapping with Ruby 1.8 (which builds with gcc only) if another
    Ruby is not available.

 -- Antonio Terceiro <terceiro@debian.org>  Thu, 15 May 2014 23:20:49 -0300

ruby2.1 (2.1.2-1) unstable; urgency=medium

  [ Christian Hofstaedtler ]
  * New upstream version
  * Update watch file

  [ Sebastian Boehm ]
  * Build with basic systemtap support. (Closes: #747232)

  [ Antonio Terceiro ]
  * 2.1 is now the main development branch

 -- Christian Hofstaedtler <zeha@debian.org>  Sat, 10 May 2014 15:51:13 +0200

ruby2.1 (2.1.1-4) unstable; urgency=medium

  * Use Debian copy of config.{guess,sub}
    Instead of downloading it from the Internet, which could be down or
    insecure. Thanks to Scott Kitterman for the report AND patch.
    (Closes: 745699)
  * Move jquery source file to d/missing-sources

 -- Christian Hofstaedtler <zeha@debian.org>  Fri, 25 Apr 2014 00:57:13 +0200

ruby2.1 (2.1.1-3) unstable; urgency=medium

  [ Antonio Terceiro ]
  * Disable rubygems-integration during the build. This fixes the install
    location of the gemspecs for the bundled libraries. (Closes: #745465)

 -- Christian Hofstaedtler <zeha@debian.org>  Tue, 22 Apr 2014 18:38:01 +0200

ruby2.1 (2.1.1-2) unstable; urgency=medium

  * Tie Tcl/Tk dependency to version 8.5, applying patch from Ubuntu.
    Thanks to Matthias Klose <doko@debian.org>

 -- Christian Hofstaedtler <zeha@debian.org>  Mon, 10 Mar 2014 13:38:41 +0100

ruby2.1 (2.1.1-1) unstable; urgency=medium

  * Imported Upstream version 2.1.1
  * Update lintian overrides

 -- Christian Hofstaedtler <zeha@debian.org>  Wed, 05 Mar 2014 18:22:58 +0100

ruby2.1 (2.1.0-2) unstable; urgency=medium

  * ruby2.1-dev: Depend on libgmp-dev.
    Thanks to John Leach <john@johnleach.co.uk>
  * Fix FTBFS with libreadline 6.x, by applying upstream r45225.

 -- Christian Hofstaedtler <zeha@debian.org>  Mon, 03 Mar 2014 21:10:32 +0100

ruby2.1 (2.1.0-1) unstable; urgency=medium

  * Upload to unstable.

 -- Christian Hofstaedtler <zeha@debian.org>  Sat, 22 Feb 2014 23:44:44 +0100

ruby2.1 (2.1.0-1~exp2) experimental; urgency=medium

  [ Antonio Terceiro ]
  * ruby2.1-dev: add missing dependency on libruby2.1

  [ Christian Hofstaedtler ]
  * Again depend on ruby without alternatives management
  * Tag 64bit-only symbols as such

 -- Christian Hofstaedtler <zeha@debian.org>  Thu, 13 Feb 2014 13:02:25 +0100

ruby2.1 (2.1.0-1~exp1) experimental; urgency=medium

  * New release train, branch off and rename everything to ruby2.1
    (Closes: #736664)
  * Build with GMP library for faster Bignum operations.
  * Target experimental as long as ruby 1:1.9.3.1 has not entered
    unstable, dropping the versioned dependency for now.

 -- Christian Hofstaedtler <zeha@debian.org>  Thu, 23 Jan 2014 19:25:19 +0100

ruby2.0 (2.0.0.484-1) UNRELEASED; urgency=medium

  [ Antonio Terceiro ]
  * New upstream snapshot.
  * Add patch by Yamashita Yuu to fix build against newer OpenSSL
    (Closes: #733372)

  [ Christian Hofstaedtler ]
  * Use any valid Ruby interpreter to bootstrap
  * Bump Standards-Version to 3.9.5 (no changes)
  * Add myself to Uploaders:
  * Add Dependencies to facilitate upgrades from 1.8
    * libruby2.0 now depends on ruby2.0
    * ruby2.0 now depends on ruby
  * Stop installing alternatives/symlinks for binaries:
    * /usr/bin/{ruby,erb,testrb,irb,rdoc,ri}

 -- Christian Hofstaedtler <zeha@debian.org>  Fri, 17 Jan 2014 16:35:57 +0100

ruby2.0 (2.0.0.353-1) unstable; urgency=low

  * New upstream release
    + Includes fix for Heap Overflow in Floating Point Parsing (CVE-2013-4164)
      Closes: #730190

 -- Antonio Terceiro <terceiro@debian.org>  Mon, 25 Nov 2013 22:34:25 -0300

ruby2.0 (2.0.0.343-1) unstable; urgency=low

  * New upstream version (snapshot from 2.0 maintainance branch).
  * fix typo in ruby2.0-tcltk description
  * Backported upstream patches from Tanaka Akira to fix FTBFS on:
    - GNU/kFreeBSD (Closes: #726095)
    - x32 (Closes: #727010)
  * Make date for io-console gemspec predictable (Closes: #724974)
  * libruby2.0 now depends on libjs-jquery because of rdoc (Closes: #725056)
  * Backport upstream patch by Nobuyoshi Nakada to fix include directory in
    `pkg-config --cflags` (Closes: #725166)
  * Document missing licenses in debian/copyright (Closes: #723161)
  * debian/libruby2.0.symbols: add new symbol rb_exec_recursive_paired_outer
    (not in the public API though)

 -- Antonio Terceiro <terceiro@debian.org>  Tue, 05 Nov 2013 20:33:23 -0300

ruby2.0 (2.0.0.299-2) unstable; urgency=low

  * Split Ruby/Tk out of libruby2.0 into its own package, ruby2.0-tcltk. This
    will reduce the footprint of a basic Ruby installation.

 -- Antonio Terceiro <terceiro@debian.org>  Sun, 15 Sep 2013 22:09:57 -0300

ruby2.0 (2.0.0.299-1) unstable; urgency=low

  * New upstream release
    + Includes a fix for override of existing LDFLAGS when building compiled
      extensions that use pkg-config (Closes: #721799).
  * debian/rules: forward-port to tcl/tk packages with multi-arch support.
    Thanks to Tristan Hill for reporting on build for Ubuntu saucy
  * debian/control: ruby2.0 now provides ruby-interpreter
  * Now using tarballs generated from the git mirror.
    + The released tarballs will modify shipped files on clean. Without this
      we can stop messing around with files that need to be recovered after a
      `debian/rules clean` to make them match the orig tarball and avoid
      spurious diffs.
    + This also lets us drop the diffs against generated files such as
      tool/config.* and configure.
    + documented in debian/README.source
  * debian/libruby2.0.symbols: refreshed with 2 new symbols added since last
    version.

 -- Antonio Terceiro <terceiro@debian.org>  Sun, 08 Sep 2013 12:38:34 -0300

ruby2.0 (2.0.0.247-1) unstable; urgency=low

  * Initial release (Closes: #697703)

 -- Antonio Terceiro <terceiro@debian.org>  Mon, 07 Jan 2013 14:48:51 -0300
