import ruby-2.5.9-109.module+el8.5.0+14275+d9c243ca
This commit is contained in:
parent
4220e71242
commit
833b077660
@ -0,0 +1,247 @@
|
||||
commit be5a83e84a34091f2a4e3c6dfb911b20e78e690c
|
||||
Author: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
||||
Date: Wed Jul 7 10:34:08 2021 +0000
|
||||
|
||||
Ignore IP addresses in PASV responses by default, and add new option use_pasv_ip
|
||||
|
||||
This fixes CVE-2021-31810.
|
||||
Reported by Alexandr Savca.
|
||||
|
||||
Co-authored-by: Shugo Maeda <shugo@ruby-lang.org>
|
||||
|
||||
|
||||
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67949 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
||||
|
||||
diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb
|
||||
index e68d825dcf..c5d669d898 100644
|
||||
--- a/lib/net/ftp.rb
|
||||
+++ b/lib/net/ftp.rb
|
||||
@@ -97,6 +97,10 @@ class FTP < Protocol
|
||||
# When +true+, the connection is in passive mode. Default: +true+.
|
||||
attr_accessor :passive
|
||||
|
||||
+ # When +true+, use the IP address in PASV responses. Otherwise, it uses
|
||||
+ # the same IP address for the control connection. Default: +false+.
|
||||
+ attr_accessor :use_pasv_ip
|
||||
+
|
||||
# When +true+, all traffic to and from the server is written
|
||||
# to +$stdout+. Default: +false+.
|
||||
attr_accessor :debug_mode
|
||||
@@ -205,6 +209,9 @@ def FTP.open(host, *args)
|
||||
# handshake.
|
||||
# See Net::FTP#ssl_handshake_timeout for
|
||||
# details. Default: +nil+.
|
||||
+ # use_pasv_ip:: When +true+, use the IP address in PASV responses.
|
||||
+ # Otherwise, it uses the same IP address for the control
|
||||
+ # connection. Default: +false+.
|
||||
# debug_mode:: When +true+, all traffic to and from the server is
|
||||
# written to +$stdout+. Default: +false+.
|
||||
#
|
||||
@@ -265,6 +272,7 @@ def initialize(host = nil, user_or_options = {}, passwd = nil, acct = nil)
|
||||
@open_timeout = options[:open_timeout]
|
||||
@ssl_handshake_timeout = options[:ssl_handshake_timeout]
|
||||
@read_timeout = options[:read_timeout] || 60
|
||||
+ @use_pasv_ip = options[:use_pasv_ip] || false
|
||||
if host
|
||||
connect(host, options[:port] || FTP_PORT)
|
||||
if options[:username]
|
||||
@@ -1330,7 +1338,12 @@ def parse227(resp) # :nodoc:
|
||||
raise FTPReplyError, resp
|
||||
end
|
||||
if m = /\((?<host>\d+(,\d+){3}),(?<port>\d+,\d+)\)/.match(resp)
|
||||
- return parse_pasv_ipv4_host(m["host"]), parse_pasv_port(m["port"])
|
||||
+ if @use_pasv_ip
|
||||
+ host = parse_pasv_ipv4_host(m["host"])
|
||||
+ else
|
||||
+ host = @bare_sock.remote_address.ip_address
|
||||
+ end
|
||||
+ return host, parse_pasv_port(m["port"])
|
||||
else
|
||||
raise FTPProtoError, resp
|
||||
end
|
||||
diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb
|
||||
index a5219644bb..b3fe7774ed 100644
|
||||
--- a/test/net/ftp/test_ftp.rb
|
||||
+++ b/test/net/ftp/test_ftp.rb
|
||||
@@ -61,7 +61,7 @@ def test_connect_fail
|
||||
end
|
||||
|
||||
def test_parse227
|
||||
- ftp = Net::FTP.new
|
||||
+ ftp = Net::FTP.new(nil, use_pasv_ip: true)
|
||||
host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)")
|
||||
assert_equal("192.168.0.1", host)
|
||||
assert_equal(3106, port)
|
||||
@@ -80,6 +80,14 @@ def test_parse227
|
||||
assert_raise(Net::FTPProtoError) do
|
||||
ftp.send(:parse227, "227 ) foo bar (")
|
||||
end
|
||||
+
|
||||
+ ftp = Net::FTP.new
|
||||
+ sock = OpenStruct.new
|
||||
+ sock.remote_address = OpenStruct.new
|
||||
+ sock.remote_address.ip_address = "10.0.0.1"
|
||||
+ ftp.instance_variable_set(:@bare_sock, sock)
|
||||
+ host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)")
|
||||
+ assert_equal("10.0.0.1", host)
|
||||
end
|
||||
|
||||
def test_parse228
|
||||
@@ -2360,10 +2368,155 @@ def test_puttextfile_command_injection
|
||||
end
|
||||
end
|
||||
|
||||
+ def test_ignore_pasv_ip
|
||||
+ commands = []
|
||||
+ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
|
||||
+ server = create_ftp_server(nil, "127.0.0.1") { |sock|
|
||||
+ sock.print("220 (test_ftp).\r\n")
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("331 Please specify the password.\r\n")
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("230 Login successful.\r\n")
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("200 Switching to Binary mode.\r\n")
|
||||
+ line = sock.gets
|
||||
+ commands.push(line)
|
||||
+ data_server = TCPServer.new("127.0.0.1", 0)
|
||||
+ port = data_server.local_address.ip_port
|
||||
+ sock.printf("227 Entering Passive Mode (999,0,0,1,%s).\r\n",
|
||||
+ port.divmod(256).join(","))
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n")
|
||||
+ conn = data_server.accept
|
||||
+ binary_data.scan(/.{1,1024}/nm) do |s|
|
||||
+ conn.print(s)
|
||||
+ end
|
||||
+ conn.shutdown(Socket::SHUT_WR)
|
||||
+ conn.read
|
||||
+ conn.close
|
||||
+ data_server.close
|
||||
+ sock.print("226 Transfer complete.\r\n")
|
||||
+ }
|
||||
+ begin
|
||||
+ begin
|
||||
+ ftp = Net::FTP.new
|
||||
+ ftp.passive = true
|
||||
+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
|
||||
+ ftp.connect("127.0.0.1", server.port)
|
||||
+ ftp.login
|
||||
+ assert_match(/\AUSER /, commands.shift)
|
||||
+ assert_match(/\APASS /, commands.shift)
|
||||
+ assert_equal("TYPE I\r\n", commands.shift)
|
||||
+ buf = ftp.getbinaryfile("foo", nil)
|
||||
+ assert_equal(binary_data, buf)
|
||||
+ assert_equal(Encoding::ASCII_8BIT, buf.encoding)
|
||||
+ assert_equal("PASV\r\n", commands.shift)
|
||||
+ assert_equal("RETR foo\r\n", commands.shift)
|
||||
+ assert_equal(nil, commands.shift)
|
||||
+ ensure
|
||||
+ ftp.close if ftp
|
||||
+ end
|
||||
+ ensure
|
||||
+ server.close
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
+ def test_use_pasv_ip
|
||||
+ commands = []
|
||||
+ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
|
||||
+ server = create_ftp_server(nil, "127.0.0.1") { |sock|
|
||||
+ sock.print("220 (test_ftp).\r\n")
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("331 Please specify the password.\r\n")
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("230 Login successful.\r\n")
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("200 Switching to Binary mode.\r\n")
|
||||
+ line = sock.gets
|
||||
+ commands.push(line)
|
||||
+ data_server = TCPServer.new("127.0.0.1", 0)
|
||||
+ port = data_server.local_address.ip_port
|
||||
+ sock.printf("227 Entering Passive Mode (127,0,0,1,%s).\r\n",
|
||||
+ port.divmod(256).join(","))
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n")
|
||||
+ conn = data_server.accept
|
||||
+ binary_data.scan(/.{1,1024}/nm) do |s|
|
||||
+ conn.print(s)
|
||||
+ end
|
||||
+ conn.shutdown(Socket::SHUT_WR)
|
||||
+ conn.read
|
||||
+ conn.close
|
||||
+ data_server.close
|
||||
+ sock.print("226 Transfer complete.\r\n")
|
||||
+ }
|
||||
+ begin
|
||||
+ begin
|
||||
+ ftp = Net::FTP.new
|
||||
+ ftp.passive = true
|
||||
+ ftp.use_pasv_ip = true
|
||||
+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
|
||||
+ ftp.connect("127.0.0.1", server.port)
|
||||
+ ftp.login
|
||||
+ assert_match(/\AUSER /, commands.shift)
|
||||
+ assert_match(/\APASS /, commands.shift)
|
||||
+ assert_equal("TYPE I\r\n", commands.shift)
|
||||
+ buf = ftp.getbinaryfile("foo", nil)
|
||||
+ assert_equal(binary_data, buf)
|
||||
+ assert_equal(Encoding::ASCII_8BIT, buf.encoding)
|
||||
+ assert_equal("PASV\r\n", commands.shift)
|
||||
+ assert_equal("RETR foo\r\n", commands.shift)
|
||||
+ assert_equal(nil, commands.shift)
|
||||
+ ensure
|
||||
+ ftp.close if ftp
|
||||
+ end
|
||||
+ ensure
|
||||
+ server.close
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
+ def test_use_pasv_invalid_ip
|
||||
+ commands = []
|
||||
+ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
|
||||
+ server = create_ftp_server(nil, "127.0.0.1") { |sock|
|
||||
+ sock.print("220 (test_ftp).\r\n")
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("331 Please specify the password.\r\n")
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("230 Login successful.\r\n")
|
||||
+ commands.push(sock.gets)
|
||||
+ sock.print("200 Switching to Binary mode.\r\n")
|
||||
+ line = sock.gets
|
||||
+ commands.push(line)
|
||||
+ sock.print("227 Entering Passive Mode (999,0,0,1,48,57).\r\n")
|
||||
+ commands.push(sock.gets)
|
||||
+ }
|
||||
+ begin
|
||||
+ begin
|
||||
+ ftp = Net::FTP.new
|
||||
+ ftp.passive = true
|
||||
+ ftp.use_pasv_ip = true
|
||||
+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait
|
||||
+ ftp.connect("127.0.0.1", server.port)
|
||||
+ ftp.login
|
||||
+ assert_match(/\AUSER /, commands.shift)
|
||||
+ assert_match(/\APASS /, commands.shift)
|
||||
+ assert_equal("TYPE I\r\n", commands.shift)
|
||||
+ assert_raise(SocketError) do
|
||||
+ ftp.getbinaryfile("foo", nil)
|
||||
+ end
|
||||
+ ensure
|
||||
+ ftp.close if ftp
|
||||
+ end
|
||||
+ ensure
|
||||
+ server.close
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
private
|
||||
|
||||
- def create_ftp_server(sleep_time = nil)
|
||||
- server = TCPServer.new(SERVER_ADDR, 0)
|
||||
+ def create_ftp_server(sleep_time = nil, addr = SERVER_ADDR)
|
||||
+ server = TCPServer.new(addr, 0)
|
||||
@thread = Thread.start do
|
||||
if sleep_time
|
||||
sleep(sleep_time)
|
@ -0,0 +1,101 @@
|
||||
commit 95ba9053e20ad8d113af37b3f1f4cbfff1f6a8f1
|
||||
Author: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
||||
Date: Wed Jul 7 10:38:10 2021 +0000
|
||||
|
||||
Fix StartTLS stripping vulnerability
|
||||
|
||||
Reported by Alexandr Savca in https://hackerone.com/reports/1178562
|
||||
|
||||
Co-authored-by: Shugo Maeda <shugo@ruby-lang.org>
|
||||
|
||||
|
||||
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67950 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
||||
|
||||
diff --git a/lib/net/imap.rb b/lib/net/imap.rb
|
||||
index 1c7e89ba14..91df89b79e 100644
|
||||
--- a/lib/net/imap.rb
|
||||
+++ b/lib/net/imap.rb
|
||||
@@ -1213,12 +1213,14 @@ def get_tagged_response(tag, cmd)
|
||||
end
|
||||
resp = @tagged_responses.delete(tag)
|
||||
case resp.name
|
||||
+ when /\A(?:OK)\z/ni
|
||||
+ return resp
|
||||
when /\A(?:NO)\z/ni
|
||||
raise NoResponseError, resp
|
||||
when /\A(?:BAD)\z/ni
|
||||
raise BadResponseError, resp
|
||||
else
|
||||
- return resp
|
||||
+ raise UnknownResponseError, resp
|
||||
end
|
||||
end
|
||||
|
||||
@@ -3714,6 +3716,10 @@ class BadResponseError < ResponseError
|
||||
class ByeResponseError < ResponseError
|
||||
end
|
||||
|
||||
+ # Error raised upon an unknown response from the server.
|
||||
+ class UnknownResponseError < ResponseError
|
||||
+ end
|
||||
+
|
||||
RESPONSE_ERRORS = Hash.new(ResponseError)
|
||||
RESPONSE_ERRORS["NO"] = NoResponseError
|
||||
RESPONSE_ERRORS["BAD"] = BadResponseError
|
||||
diff --git a/test/net/imap/test_imap.rb b/test/net/imap/test_imap.rb
|
||||
index 936f4e0f42..81928cb8fe 100644
|
||||
--- a/test/net/imap/test_imap.rb
|
||||
+++ b/test/net/imap/test_imap.rb
|
||||
@@ -127,6 +127,24 @@ def test_starttls
|
||||
imap.disconnect
|
||||
end
|
||||
end
|
||||
+
|
||||
+ def test_starttls_stripping
|
||||
+ starttls_stripping_test do |port|
|
||||
+ imap = Net::IMAP.new("localhost", :port => port)
|
||||
+ assert_raise(Net::IMAP::UnknownResponseError) do
|
||||
+ imap.starttls(:ca_file => CA_FILE)
|
||||
+ end
|
||||
+ imap
|
||||
+ end
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
+ def start_server
|
||||
+ th = Thread.new do
|
||||
+ yield
|
||||
+ end
|
||||
+ @threads << th
|
||||
+ sleep 0.1 until th.stop?
|
||||
end
|
||||
|
||||
def test_unexpected_eof
|
||||
@@ -760,6 +760,27 @@ def starttls_test
|
||||
end
|
||||
end
|
||||
|
||||
+ def starttls_stripping_test
|
||||
+ server = create_tcp_server
|
||||
+ port = server.addr[1]
|
||||
+ start_server do
|
||||
+ sock = server.accept
|
||||
+ begin
|
||||
+ sock.print("* OK test server\r\n")
|
||||
+ sock.gets
|
||||
+ sock.print("RUBY0001 BUG unhandled command\r\n")
|
||||
+ ensure
|
||||
+ sock.close
|
||||
+ server.close
|
||||
+ end
|
||||
+ end
|
||||
+ begin
|
||||
+ imap = yield(port)
|
||||
+ ensure
|
||||
+ imap.disconnect if imap && !imap.disconnected?
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
def create_tcp_server
|
||||
return TCPServer.new(server_addr, 0)
|
||||
end
|
@ -0,0 +1,88 @@
|
||||
commit fe3c49c9baeeab58304ede915b7edd18ecf360fc
|
||||
Author: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
||||
Date: Sat Jul 3 17:10:28 2021 +0000
|
||||
|
||||
merge revision(s) b1c73f23,c9ab8fe2: [Backport #17877]
|
||||
|
||||
[ruby/rdoc] Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799
|
||||
|
||||
https://github.com/ruby/rdoc/commit/a7f5d6ab88
|
||||
|
||||
The test for command injection on Unix platforms should be omitted on Windows
|
||||
|
||||
|
||||
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67947 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
||||
|
||||
diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
|
||||
index ca2c1abefd..46aace7839 100644
|
||||
--- a/lib/rdoc/rdoc.rb
|
||||
+++ b/lib/rdoc/rdoc.rb
|
||||
@@ -436,7 +436,7 @@ def remove_unparseable files
|
||||
files.reject do |file|
|
||||
file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
|
||||
(file =~ /tags$/i and
|
||||
- open(file, 'rb') { |io|
|
||||
+ File.open(file, 'rb') { |io|
|
||||
io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
|
||||
})
|
||||
end
|
||||
--- a/lib/rdoc/encoding.rb 2022-02-16 16:51:28.080178281 +0100
|
||||
+++ b/lib/rdoc/encoding.rb 2022-02-16 16:51:37.108160840 +0100
|
||||
@@ -18,7 +18,7 @@
|
||||
# unknown character in the target encoding will be replaced with '?'
|
||||
|
||||
def self.read_file filename, encoding, force_transcode = false
|
||||
- content = open filename, "rb" do |f| f.read end
|
||||
+ content = File.open filename, "rb" do |f| f.read end
|
||||
content.gsub!("\r\n", "\n") if RUBY_PLATFORM =~ /mswin|mingw/
|
||||
|
||||
utf8 = content.sub!(/\A\xef\xbb\xbf/, '')
|
||||
--- a/lib/rdoc/parser.rb 2021-04-05 13:46:35.000000000 +0200
|
||||
+++ b/lib/rdoc/parser.rb 2022-02-16 15:37:17.904822389 +0100
|
||||
@@ -74,7 +74,12 @@
|
||||
def self.binary?(file)
|
||||
return false if file =~ /\.(rdoc|txt)$/
|
||||
|
||||
- s = File.read(file, 1024) or return false
|
||||
+ begin
|
||||
+ open_file = File.open(file)
|
||||
+ s = open_file.read(1024) or return false
|
||||
+ ensure
|
||||
+ open_file.close if open_file
|
||||
+ end
|
||||
|
||||
return true if s[0, 2] == Marshal.dump('')[0, 2] or s.index("\x00")
|
||||
|
||||
@@ -92,7 +97,8 @@
|
||||
# http://www.garykessler.net/library/file_sigs.html
|
||||
|
||||
def self.zip? file
|
||||
- zip_signature = File.read file, 4
|
||||
+ zip_signature = ''
|
||||
+ File.open(file) { |f| zip_signature = f.read(4) }
|
||||
|
||||
zip_signature == "PK\x03\x04" or
|
||||
zip_signature == "PK\x05\x06" or
|
||||
diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
|
||||
index 3bce54b243..123b1a4f87 100644
|
||||
--- a/test/rdoc/test_rdoc_rdoc.rb
|
||||
+++ b/test/rdoc/test_rdoc_rdoc.rb
|
||||
@@ -366,6 +366,18 @@ def test_remove_unparseable_tags_vim
|
||||
end
|
||||
end
|
||||
|
||||
+ def test_remove_unparseable_CVE_2021_31799
|
||||
+ skip 'for Un*x platforms' if Gem.win_platform?
|
||||
+ temp_dir do
|
||||
+ file_list = ['| touch evil.txt && echo tags']
|
||||
+ file_list.each do |f|
|
||||
+ FileUtils.touch f
|
||||
+ end
|
||||
+ assert_equal file_list, @rdoc.remove_unparseable(file_list)
|
||||
+ assert_equal file_list, Dir.children('.')
|
||||
+ end
|
||||
+ end
|
||||
+
|
||||
def test_setup_output_dir
|
||||
Dir.mktmpdir {|d|
|
||||
path = File.join d, 'testdir'
|
@ -21,7 +21,7 @@
|
||||
%endif
|
||||
|
||||
|
||||
%global release 107
|
||||
%global release 109
|
||||
|
||||
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
|
||||
|
||||
@ -178,6 +178,16 @@ Patch28: ruby-2.5.9-revert-stop-the-error-due-to-openssl-1-1-1h.patch
|
||||
# contains leading zero
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1950308
|
||||
Patch29: ruby-3.0.0-Convert-ip-addresses-to-canonical-form.patch
|
||||
# Fix CVE-2021-31799 rdoc: Command injection vulnerability in RDoc.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1980839
|
||||
Patch30: ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch
|
||||
# Fix CVE-2021-32066 StartTLS stripping vulnerability in Net::IMAP.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1980830
|
||||
Patch31: ruby-2.6.8-net-imap-startls-stripping-vulnerability.patch
|
||||
# Fix CVE-2021-31810 FTP PASV command response can cause Net::FTP to connect
|
||||
# to arbitrary host.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1980825
|
||||
Patch32: ruby-2.6.8-net-ftp-pasv-can-connect-to-arbitrary-host.patch
|
||||
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Suggests: rubypick
|
||||
@ -577,6 +587,9 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
|
||||
%patch27 -p1
|
||||
%patch28 -p1 -R
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
|
||||
# Provide an example of usage of the tapset:
|
||||
cp -a %{SOURCE3} .
|
||||
@ -1129,6 +1142,18 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
|
||||
%{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec
|
||||
|
||||
%changelog
|
||||
* Wed Feb 16 2022 Jarek Prokop <jprokop@redhat.com> - 2.5.9-109
|
||||
- Properly fix command injection vulnerability in Rdoc.
|
||||
Related: CVE-2021-31799
|
||||
|
||||
* Wed Feb 09 2022 Jarek Prokop <jprokop@redhat.com> - 2.5.9-108
|
||||
- Fix command injection vulnerability in RDoc.
|
||||
Resolves: CVE-2021-31799
|
||||
- Fix StartTLS stripping vulnerability in Net::IMAP
|
||||
Resolves: CVE-2021-32066
|
||||
- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
|
||||
Resolves: CVE-2021-31810
|
||||
|
||||
* Mon Apr 19 2021 Pavel Valena <pvalena@redhat.com> - 2.5.9-107
|
||||
- Update to Ruby 2.5.9.
|
||||
* Remove Patch20: ruby-2.6.0-rdoc-6.0.1-fix-template-typo.patch; subsumed
|
||||
|
Loading…
Reference in New Issue
Block a user