Package "ruby2.5-doc"

  ruby2.5 (2.5.1-1ubuntu1.9) bionic-security; urgency=medium

  * SECURITY UPDATE: XML round-trip vulnerability in REXML
    - debian/patches/CVE-2021-28965.patch: update to REXML 3.1.7.4.
    - CVE-2021-28965

 -- Marc Deslauriers <email address hidden> Thu, 15 Apr 2021 10:09:08 -0400

  ruby2.5 (2.5.1-1ubuntu1.8) bionic-security; urgency=medium

  * SECURITY UPDATE: Unsafe Object Creation Vulnerability in JSON gem
    - debian/patches/CVE-2020-10663.patch: set json->create_additions to 0
      in ext/json/parser/parser.c, ext/json/parser/parser.rl.
    - CVE-2020-10663
  * SECURITY UPDATE: sensitive info disclosure in BasicSocket#read_nonblock
    - debian/patches/CVE-2020-10933.patch: do not return uninitialized
      buffer in ext/socket/init.c.
    - CVE-2020-10933
  * SECURITY UPDATE: HTTP Request Smuggling attack in WEBrick
    - debian/patches/CVE-2020-25613.patch: make it more strict to interpret
      some headers in lib/webrick/httprequest.rb.
    - CVE-2020-25613

 -- Marc Deslauriers <email address hidden> Tue, 16 Mar 2021 10:59:21 -0400

  ruby2.5 (2.5.1-1ubuntu1.6) bionic-security; urgency=medium

  * SECURITY UPDATE: NULL injection vulnerability
    - debian/patches/CVE-2019-15845.patch: ensure that
      pattern does not contain a NULL character in dir.c,
      test/ruby/test_fnmatch.rb.
    - CVE-2019-15845
  * SECURITY UPDATE: Denial of service vulnerability
    - debian/patches/CVE-2019-16201.patch: fix in
      lib/webrick/httpauth/digestauth.rb,
      test/webrick/test_httpauth.rb.
    - CVE-2019-16201.patch
  * SECURITY UPDATE: HTTP response splitting in WEBrick
    - debian/patches/CVE-2019-16254.patch: prevent response
      splitting and header injection in lib/webrick/httpresponse.rb,
      test/webrick/test_httpresponse.rb.
    - CVE-2019-16254
  * SECURITY UPDATE: Code injection
    - debian/patches/CVE-2019-16255.patch: prevent unknown command
      in lib/shell/command-processor.rb, test/shell/test_command_processor.rb.
    - CVE-2019-16255

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 26 Nov 2019 09:32:04 -0300

  ruby2.5 (2.5.1-1ubuntu1.5) bionic; urgency=medium

  * Add d/p/restore_buffer_newline_check.patch to fix failure sending
    files with mixed newline encoding styles; this regression was
    introduced by 0009-openssl-sync-with-upstream-repository.patch.
    (LP: #1835968)

 -- Bryce Harrington <email address hidden> Thu, 25 Jul 2019 16:06:31 -0700

  ruby2.5 (2.5.1-1ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Delete directory using symlink when decompressing tar,
    Escape sequence injection vulnerability in gem owner, Escape sequence
    injection vulnerability in API response handling, Arbitrary code exec,
    Escape sequence injection vulnerability in errors
    - debian/patches/CVE-2019-8320-25.patch: fix in
      lib/rubygems/command_manager.rb,
      lib/rubygems/commands/owner_command.rb,
      lib/rubygems/gemcutter_utilities.rb,
      lib/rubygems/installer.rb,
      lib/rubygems/package.rb,
      test/rubygems/test_gem_installer.rb,
      test/rubygems/test_gem_package.rb,
      test/rubygems/test_gem_text.rb.
    - CVE-2019-8320
    - CVE-2019-8321
    - CVE-2019-8322
    - CVE-2019-8323
    - CVE-2019-8324
    - CVE-2019-8325
  * Fixing expired SSL certs
    - debian/patches/fixing_expired_SSL_certs.patch: fix in
      test/net/fixtures/cacert.pem, test/net/fixtures/server.crt,
      test/net/fixtures/server.key.

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 01 Apr 2019 11:13:08 -0300