* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick.s Digest access authentication
there may be some missing as my unpacked ports source is a little out of date
but this should catch the main things people might run into
the struct was reordered a second time in sysctl.h r1.192 to improve
compatibility but amd64 snapshot packages made it out before that happened
so the bumps are still needed
Fixes the following vulnerabilities in rubygems:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
This fixes the following CVEs: 2017-17742, 2018-6914, 2018-8777,
2018-8778, 2018-8779, and 2018-8780.
While here, switch HOMEPAGE and MASTER_SITES from http to https,
requested by tj@.
have, but Ruby was guarding this by a single function check for
X509_STORE_set_ex_data. In most cases they are doing nice checks in
extconf.rb for the exact function so convert to doing the same here.
sets HAVE_X509_STORE_SET_EX_DATA though we don't actually have it yet, causing
undefined symbol when running ruby as part of "make fake" to generate docs.
