Use _setjmp by default to use the setjmp xor cookie.
This was already done for powerpc and powerpc64 to work around a
segfault, but it seems to be a good practice on all arches.
ok gkoehler@
clang-11's __builtin_setjmp is broken, has chance of SIGSEGV during
"make build" on powerpc with ld.lld, or when passing a wrong option
(like "ruby -e" with no -e code) on powerpc64.
ok jeremy@ (maintainer)
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick.s Digest access authentication
there may be some missing as my unpacked ports source is a little out of date
but this should catch the main things people might run into
the struct was reordered a second time in sysctl.h r1.192 to improve
compatibility but amd64 snapshot packages made it out before that happened
so the bumps are still needed
Changes in thread internals between ruby 2.5 and 2.6 resulted in
ruby processes not waking up when receiving some signals. Fix
this by backporting an upstream patch. Remove three patches to
the tests that skipped tests. Two of these issues were fixed by
this upstream patch, and the other was fixed by the pthread fifo
fdlock fix.
Fixes the following vulnerabilities in rubygems:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
