* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick.s Digest access authentication
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick.s Digest access authentication
* CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
* CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
* CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
* CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick.s Digest access authentication
there may be some missing as my unpacked ports source is a little out of date
but this should catch the main things people might run into
the struct was reordered a second time in sysctl.h r1.192 to improve
compatibility but amd64 snapshot packages made it out before that happened
so the bumps are still needed
Changes in thread internals between ruby 2.5 and 2.6 resulted in
ruby processes not waking up when receiving some signals. Fix
this by backporting an upstream patch. Remove three patches to
the tests that skipped tests. Two of these issues were fixed by
this upstream patch, and the other was fixed by the pthread fifo
fdlock fix.
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Fixes the following vulnerabilities in rubygems:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Fixes the following vulnerabilities in rubygems:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
This fixes the following CVEs: 2017-17742, 2018-6914, 2018-8777,
2018-8778, 2018-8779, and 2018-8780.
While here, switch HOMEPAGE and MASTER_SITES from http to https,
requested by tj@.
have, but Ruby was guarding this by a single function check for
X509_STORE_set_ex_data. In most cases they are doing nice checks in
extconf.rb for the exact function so convert to doing the same here.
sets HAVE_X509_STORE_SET_EX_DATA though we don't actually have it yet, causing
undefined symbol when running ruby as part of "make fake" to generate docs.
