godotengine/buildroot
1
0
Fork 0
mirror of https://github.com/godotengine/buildroot.git synced 2026-01-16 16:51:26 +03:00
Code Issues Packages Projects Releases Wiki Activity
50,660 Commits 28 Branches 277 Tags
2020.02.2
Commit Graph

18 Commits

Author SHA1 Message Date
Peter Korsgaard
dc487302b6 package/ruby: security bump to version 2.4.9 
Fixes the following security vulnerability:

(Bundled jquery)
- CVE-2012-6708: jQuery before 1.9.0 is vulnerable to Cross-site Scripting
  (XSS) attacks.  The jQuery(strInput) function does not differentiate
  selectors from HTML in a reliable fashion.  In vulnerable versions, jQuery
  determined whether the input was HTML by looking for the '<' character
  anywhere in the string, giving attackers more flexibility when attempting
  to construct a malicious payload.  In fixed versions, jQuery only deems
  the input to be HTML if it explicitly starts with the '<' character,
  limiting exploitability only to attackers who can control the beginning of
  a string, which is far less common.

- CVE-2015-9251: jQuery before 3.0.0 is vulnerable to Cross-site Scripting
  (XSS) attacks when a cross-domain Ajax request is performed without the
  dataType option, causing text/javascript responses to be executed.

https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/

- CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test

https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/

- CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)

https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/

- CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?

https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/

- CVE-2019-16201: Regular Expression Denial of Service vulnerability of
  WEBrick's Digest access authentication

https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/

2.4.9 fixes a packaging bug in 2.4.8:

https://www.ruby-lang.org/en/news/2019/10/02/ruby-2-4-9-released/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
 2019-10-05 16:41:53 +02:00
Peter Korsgaard
9009823137 package/ruby: security bump to version 2.4.6 
Fixes the following security issues:

- CVE-2019-8320: Delete directory using symlink when decompressing tar
- CVE-2019-8321: Escape sequence injection vulnerability in verbose
- CVE-2019-8322: Escape sequence injection vulnerability in gem owner
- CVE-2019-8323: Escape sequence injection vulnerability in API response handling
- CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
- CVE-2019-8325: Escape sequence injection vulnerability in errors

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 2019-04-17 08:42:12 +02:00
Peter Korsgaard
646ae5a0b1 ruby: security bump to version 2.4.5 
Fixes the following security issues:

- CVE-2018-16396: Tainted flags are not propagated in Array#pack and
  String#unpack with some directives
https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/

- CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/

Update hash of LEGAL as it had a few (wayback machine) URLs added/changed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 2018-10-30 21:05:19 +01:00
Peter Korsgaard
46cfed78b1 ruby: security bump to version 2.4.4 
Fixes the following security issues:

CVE-2017-17405: Command injection vulnerability in Net::FTP (2.4.3):
https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/

CVE-2017-17742: HTTP response splitting in WEBrick (2.4.4):
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/

CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir (2.4.4):
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/

CVE-2018-8777: DoS by large request in WEBrick (2.4.4):
https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/

CVE-2018-8778: Buffer under-read in String#unpack (2.4.4):
https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/

CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket (2.4.4):
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/

CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
(2.4.4):
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/

Multiple vulnerabilities in RubyGems (2.4.4):
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 2018-08-17 22:01:53 +02:00
Peter Korsgaard
f2c3530541 ruby: security bump to version 2.4.2 
Fixed the following security issues:

CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure in generating JSON

For more details, see the release notes:
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released/

Drop now upstreamed rubygems patches and add hashes for the license files
while we're at it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 2017-11-12 17:52:28 +01:00
Vicente Olivert Riera
81de172d11 ruby: bump version to 2.4.1 
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 2017-03-22 23:12:29 +01:00
Vicente Olivert Riera
ca06126066 ruby: bump version to 2.4.0 
The problem addressed by 0001 patch has been fixed upstream and is that
fix is included in this release:
  aa107497cd

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 2017-01-13 16:19:02 +01:00
Vicente Olivert Riera
0085734dc9 ruby: bump version to 2.3.3 
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 2016-11-21 21:14:36 +01:00
Vicente Olivert Riera
cbe981184c ruby: bump version to 2.3.2 
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 2016-11-15 22:48:46 +01:00
Gustavo Zacarias
22001b2632 ruby: bump to version 2.3.1 
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 2016-04-27 22:15:30 +02:00
Gustavo Zacarias
7f61488649 ruby: bump to version 2.3.0 
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 2016-01-08 20:28:50 +01:00
Gustavo Zacarias
3ce39dd048 ruby: security bump to version 2.2.4 
Fixes:
CVE-2015-7551 - Unsafe tainted string usage in Fiddle and DL

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 2015-12-17 12:56:25 +01:00
Gustavo Zacarias
ed5c939dfb ruby: bump to version 2.2.3 
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 2015-09-01 13:11:57 +02:00
Gustavo Zacarias
2c06a807cc ruby: security bump to version 2.2.2 
Fixes:
CVE-2015-1855 - OpenSSL extension’s hostname verification vulnerability.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 2015-04-14 10:06:35 +02:00
Gustavo Zacarias
ada937a94b ruby: bump to version 2.2.1 
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 2015-03-03 21:55:45 +01:00
Gustavo Zacarias
98c1930e74 ruby: security bump to version 2.1.5 
Fixes:
CVE-2014-8090 - Another Denial Of Service XML Expansion.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 2014-11-13 22:39:18 +01:00
Gustavo Zacarias
8ba2a5c737 ruby: security bump to version 2.1.4 
Fixes:
CVE-2014-8080 - Denial of service XML expansion

And change default ext/openssl settings WRT CVE-2014-3566.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 2014-10-27 22:46:48 +01:00
Gustavo Zacarias
e651b2e532 ruby: bump to version 2.1.3 
Also add hash file.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 2014-10-02 12:06:46 +02:00