rpms/ruby/devel ruby-1.8.6-CVE-2007-5162.patch, NONE, 1.1 .cvsignore, 1.20, 1.21 ruby.spec, 1.100, 1.101 sources, 1.19, 1.20 ruby-r12567.patch, 1.1, NONE
Akira Tagoh (tagoh)
fedora-extras-commits at redhat.com
Wed Oct 10 01:06:25 UTC 2007
Author: tagoh
Update of /cvs/pkgs/rpms/ruby/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21558
Modified Files:
.cvsignore ruby.spec sources
Added Files:
ruby-1.8.6-CVE-2007-5162.patch
Removed Files:
ruby-r12567.patch
Log Message:
* Wed Oct 10 2007 Akira TAGOH <tagoh at redhat.com> - 1.8.6.110-1
- New upstream release.
- ruby-r12567.patch: removed.
- ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is
insufficient verification of SSL certificate.
ruby-1.8.6-CVE-2007-5162.patch:
--- NEW FILE ruby-1.8.6-CVE-2007-5162.patch ---
diff -ruN ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb
--- ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb 2007-02-13 08:01:19.000000000 +0900
+++ ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb 2007-10-04 22:38:48.000000000 +0900
@@ -88,7 +88,7 @@
end
}
end
- raise SSLError, "hostname not match"
+ raise SSLError, "hostname not match with the server certificate"
end
end
diff -ruN ruby-1.8.6-p110.orig/lib/net/http.rb ruby-1.8.6-p110/lib/net/http.rb
--- ruby-1.8.6-p110.orig/lib/net/http.rb 2007-02-13 08:01:19.000000000 +0900
+++ ruby-1.8.6-p110/lib/net/http.rb 2007-10-04 22:41:34.000000000 +0900
@@ -470,6 +470,7 @@
@debug_output = nil
@use_ssl = false
@ssl_context = nil
+ @enable_post_connection_check = true
end
def inspect
@@ -526,6 +527,9 @@
false # redefined in net/https
end
+ # specify enabling SSL server certificate and hostname checking.
+ attr_accessor :enable_post_connection_check
+
# Opens TCP connection and HTTP session.
#
# When this method is called with block, gives a HTTP object
@@ -584,6 +588,14 @@
HTTPResponse.read_new(@socket).value
end
s.connect
+ if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+ begin
+ s.post_connection_check(@address)
+ rescue OpenSSL::SSL::SSLError => ex
+ raise ex if @enable_post_connection_check
+ warn ex.message
+ end
+ end
end
on_connect
end
diff -ruN ruby-1.8.6-p110.orig/lib/open-uri.rb ruby-1.8.6-p110/lib/open-uri.rb
--- ruby-1.8.6-p110.orig/lib/open-uri.rb 2007-02-13 08:01:19.000000000 +0900
+++ ruby-1.8.6-p110/lib/open-uri.rb 2007-10-04 22:42:18.000000000 +0900
@@ -229,6 +229,7 @@
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
+ http.enable_post_connection_check = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths
@@ -240,16 +241,6 @@
resp = nil
http.start {
- if target.class == URI::HTTPS
- # xxx: information hiding violation
- sock = http.instance_variable_get(:@socket)
- if sock.respond_to?(:io)
- sock = sock.io # 1.9
- else
- sock = sock.instance_variable_get(:@socket) # 1.8
- end
- sock.post_connection_check(target_host)
- end
req = Net::HTTP::Get.new(request_uri, header)
if options.include? :http_basic_authentication
user, pass = options[:http_basic_authentication]
diff -ruN ruby-1.8.6-p110.orig/version.h ruby-1.8.6-p110/version.h
--- ruby-1.8.6-p110.orig/version.h 2007-09-23 09:01:50.000000000 +0900
+++ ruby-1.8.6-p110/version.h 2007-10-04 22:42:37.000000000 +0900
@@ -1,15 +1,15 @@
#define RUBY_VERSION "1.8.6"
-#define RUBY_RELEASE_DATE "2007-09-23"
+#define RUBY_RELEASE_DATE "2007-09-24"
#define RUBY_VERSION_CODE 186
-#define RUBY_RELEASE_CODE 20070923
-#define RUBY_PATCHLEVEL 110
+#define RUBY_RELEASE_CODE 20070924
+#define RUBY_PATCHLEVEL 111
#define RUBY_VERSION_MAJOR 1
#define RUBY_VERSION_MINOR 8
#define RUBY_VERSION_TEENY 6
#define RUBY_RELEASE_YEAR 2007
#define RUBY_RELEASE_MONTH 9
-#define RUBY_RELEASE_DAY 23
+#define RUBY_RELEASE_DAY 24
#ifdef RUBY_EXTERN
RUBY_EXTERN const char ruby_version[];
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/ruby/devel/.cvsignore,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- .cvsignore 20 Jun 2007 13:14:04 -0000 1.20
+++ .cvsignore 10 Oct 2007 01:05:17 -0000 1.21
@@ -14,3 +14,4 @@
ruby-1.8.5-p12.tar.gz
ruby-1.8.6.tar.bz2
ruby-1.8.6-p36.tar.bz2
+ruby-1.8.6-p110.tar.bz2
Index: ruby.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ruby/devel/ruby.spec,v
retrieving revision 1.100
retrieving revision 1.101
diff -u -r1.100 -r1.101
--- ruby.spec 23 Aug 2007 13:22:32 -0000 1.100
+++ ruby.spec 10 Oct 2007 01:05:17 -0000 1.101
@@ -1,7 +1,7 @@
%define manver 1.4.6
%define rubyxver 1.8
%define rubyver 1.8.6
-%define _patchlevel 36
+%define _patchlevel 110
%define dotpatchlevel %{?_patchlevel:.%{_patchlevel}}
%define patchlevel %{?_patchlevel:-p%{_patchlevel}}
%define sitedir %{_libdir}/ruby/site_ruby
@@ -11,7 +11,7 @@
Name: ruby
Version: %{rubyver}%{?dotpatchlevel}
-Release: 4%{?dist}
+Release: 1%{?dist}
License: Ruby or GPL+
URL: http://www.ruby-lang.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -36,7 +36,7 @@
Patch21: ruby-deprecated-sitelib-search-path.patch
Patch22: ruby-deprecated-search-path.patch
Patch23: ruby-multilib.patch
-Patch24: ruby-r12567.patch
+Patch24: ruby-1.8.6-CVE-2007-5162.patch
Summary: An interpreter of object-oriented scripting language
Group: Development/Languages
@@ -153,7 +153,7 @@
%patch22 -p1
%patch23 -p1
%endif
-%patch24 -p0
+%patch24 -p1
popd
%build
@@ -471,6 +471,12 @@
%endif
%changelog
+* Wed Oct 10 2007 Akira TAGOH <tagoh at redhat.com> - 1.8.6.110-1
+- New upstream release.
+ - ruby-r12567.patch: removed.
+- ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is
+ insufficient verification of SSL certificate.
+
* Thu Aug 23 2007 Akira TAGOH <tagoh at redhat.com> - 1.8.6.36-4
- Rebuild
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/ruby/devel/sources,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- sources 20 Jun 2007 13:14:04 -0000 1.19
+++ sources 10 Oct 2007 01:05:17 -0000 1.20
@@ -3,3 +3,4 @@
7f3e181c0be9a1579e43a5a8b26372d6 rubyfaq-990927.tar.bz2
8aa2e2da327dc43ff6e46e634eb657b6 rubyfaq-jp-990927.tar.bz2
eb7f25818cb6993839b38d1f21bd4ea1 ruby-1.8.6-p36.tar.bz2
+39cbf0cc610e636983cb3311bef3f2d0 ruby-1.8.6-p110.tar.bz2
--- ruby-r12567.patch DELETED ---
More information about the fedora-extras-commits
mailing list