- New upstream release.
- ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes at trunk to enable the fix without any modifications on the users' scripts. Note that Net::HTTP#enable_post_connection_check isn't available anymore. If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE to Net::HTTP#verify_mode= instead of.
This commit is contained in:
parent
aea82d7668
commit
6e38a4a662
@ -15,3 +15,4 @@ ruby-1.8.5-p12.tar.gz
|
|||||||
ruby-1.8.6.tar.bz2
|
ruby-1.8.6.tar.bz2
|
||||||
ruby-1.8.6-p36.tar.bz2
|
ruby-1.8.6-p36.tar.bz2
|
||||||
ruby-1.8.6-p110.tar.bz2
|
ruby-1.8.6-p110.tar.bz2
|
||||||
|
ruby-1.8.6-p111.tar.bz2
|
||||||
|
@ -1,99 +0,0 @@
|
|||||||
diff -ruN ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb
|
|
||||||
--- ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb 2007-02-13 08:01:19.000000000 +0900
|
|
||||||
+++ ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb 2007-10-04 22:38:48.000000000 +0900
|
|
||||||
@@ -88,7 +88,7 @@
|
|
||||||
end
|
|
||||||
}
|
|
||||||
end
|
|
||||||
- raise SSLError, "hostname not match"
|
|
||||||
+ raise SSLError, "hostname not match with the server certificate"
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
diff -ruN ruby-1.8.6-p110.orig/lib/net/http.rb ruby-1.8.6-p110/lib/net/http.rb
|
|
||||||
--- ruby-1.8.6-p110.orig/lib/net/http.rb 2007-02-13 08:01:19.000000000 +0900
|
|
||||||
+++ ruby-1.8.6-p110/lib/net/http.rb 2007-10-04 22:41:34.000000000 +0900
|
|
||||||
@@ -470,6 +470,7 @@
|
|
||||||
@debug_output = nil
|
|
||||||
@use_ssl = false
|
|
||||||
@ssl_context = nil
|
|
||||||
+ @enable_post_connection_check = true
|
|
||||||
end
|
|
||||||
|
|
||||||
def inspect
|
|
||||||
@@ -526,6 +527,9 @@
|
|
||||||
false # redefined in net/https
|
|
||||||
end
|
|
||||||
|
|
||||||
+ # specify enabling SSL server certificate and hostname checking.
|
|
||||||
+ attr_accessor :enable_post_connection_check
|
|
||||||
+
|
|
||||||
# Opens TCP connection and HTTP session.
|
|
||||||
#
|
|
||||||
# When this method is called with block, gives a HTTP object
|
|
||||||
@@ -584,6 +588,14 @@
|
|
||||||
HTTPResponse.read_new(@socket).value
|
|
||||||
end
|
|
||||||
s.connect
|
|
||||||
+ if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
|
|
||||||
+ begin
|
|
||||||
+ s.post_connection_check(@address)
|
|
||||||
+ rescue OpenSSL::SSL::SSLError => ex
|
|
||||||
+ raise ex if @enable_post_connection_check
|
|
||||||
+ warn ex.message
|
|
||||||
+ end
|
|
||||||
+ end
|
|
||||||
end
|
|
||||||
on_connect
|
|
||||||
end
|
|
||||||
diff -ruN ruby-1.8.6-p110.orig/lib/open-uri.rb ruby-1.8.6-p110/lib/open-uri.rb
|
|
||||||
--- ruby-1.8.6-p110.orig/lib/open-uri.rb 2007-02-13 08:01:19.000000000 +0900
|
|
||||||
+++ ruby-1.8.6-p110/lib/open-uri.rb 2007-10-04 22:42:18.000000000 +0900
|
|
||||||
@@ -229,6 +229,7 @@
|
|
||||||
if target.class == URI::HTTPS
|
|
||||||
require 'net/https'
|
|
||||||
http.use_ssl = true
|
|
||||||
+ http.enable_post_connection_check = true
|
|
||||||
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
||||||
store = OpenSSL::X509::Store.new
|
|
||||||
store.set_default_paths
|
|
||||||
@@ -240,16 +241,6 @@
|
|
||||||
|
|
||||||
resp = nil
|
|
||||||
http.start {
|
|
||||||
- if target.class == URI::HTTPS
|
|
||||||
- # xxx: information hiding violation
|
|
||||||
- sock = http.instance_variable_get(:@socket)
|
|
||||||
- if sock.respond_to?(:io)
|
|
||||||
- sock = sock.io # 1.9
|
|
||||||
- else
|
|
||||||
- sock = sock.instance_variable_get(:@socket) # 1.8
|
|
||||||
- end
|
|
||||||
- sock.post_connection_check(target_host)
|
|
||||||
- end
|
|
||||||
req = Net::HTTP::Get.new(request_uri, header)
|
|
||||||
if options.include? :http_basic_authentication
|
|
||||||
user, pass = options[:http_basic_authentication]
|
|
||||||
diff -ruN ruby-1.8.6-p110.orig/version.h ruby-1.8.6-p110/version.h
|
|
||||||
--- ruby-1.8.6-p110.orig/version.h 2007-09-23 09:01:50.000000000 +0900
|
|
||||||
+++ ruby-1.8.6-p110/version.h 2007-10-04 22:42:37.000000000 +0900
|
|
||||||
@@ -1,15 +1,15 @@
|
|
||||||
#define RUBY_VERSION "1.8.6"
|
|
||||||
-#define RUBY_RELEASE_DATE "2007-09-23"
|
|
||||||
+#define RUBY_RELEASE_DATE "2007-09-24"
|
|
||||||
#define RUBY_VERSION_CODE 186
|
|
||||||
-#define RUBY_RELEASE_CODE 20070923
|
|
||||||
-#define RUBY_PATCHLEVEL 110
|
|
||||||
+#define RUBY_RELEASE_CODE 20070924
|
|
||||||
+#define RUBY_PATCHLEVEL 111
|
|
||||||
|
|
||||||
#define RUBY_VERSION_MAJOR 1
|
|
||||||
#define RUBY_VERSION_MINOR 8
|
|
||||||
#define RUBY_VERSION_TEENY 6
|
|
||||||
#define RUBY_RELEASE_YEAR 2007
|
|
||||||
#define RUBY_RELEASE_MONTH 9
|
|
||||||
-#define RUBY_RELEASE_DAY 23
|
|
||||||
+#define RUBY_RELEASE_DAY 24
|
|
||||||
|
|
||||||
#ifdef RUBY_EXTERN
|
|
||||||
RUBY_EXTERN const char ruby_version[];
|
|
97
ruby-1.8.6.111-CVE-2007-5162.patch
Normal file
97
ruby-1.8.6.111-CVE-2007-5162.patch
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb
|
||||||
|
--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb 2007-02-13 08:01:19.000000000 +0900
|
||||||
|
+++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb 2007-10-29 21:10:24.000000000 +0900
|
||||||
|
@@ -29,13 +29,23 @@ require 'net/ftp'
|
||||||
|
|
||||||
|
module Net
|
||||||
|
class FTPTLS < FTP
|
||||||
|
+ def connect(host, port=FTP_PORT)
|
||||||
|
+ @hostname = host
|
||||||
|
+ super
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
def login(user = "anonymous", passwd = nil, acct = nil)
|
||||||
|
+ store = OpenSSL::X509::Store.new
|
||||||
|
+ store.set_default_paths
|
||||||
|
ctx = OpenSSL::SSL::SSLContext.new('SSLv23')
|
||||||
|
+ ctx.cert_store = store
|
||||||
|
+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
||||||
|
ctx.key = nil
|
||||||
|
ctx.cert = nil
|
||||||
|
voidcmd("AUTH TLS")
|
||||||
|
@sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
|
||||||
|
@sock.connect
|
||||||
|
+ @sock.post_connection_check(@hostname)
|
||||||
|
super(user, passwd, acct)
|
||||||
|
voidcmd("PBSZ 0")
|
||||||
|
end
|
||||||
|
diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb
|
||||||
|
--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb 2007-02-13 08:01:19.000000000 +0900
|
||||||
|
+++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb 2007-10-29 21:13:03.000000000 +0900
|
||||||
|
@@ -134,6 +134,9 @@ module Net
|
||||||
|
@sock.verify_callback = @options['VerifyCallback']
|
||||||
|
@sock.verify_depth = @options['VerifyDepth']
|
||||||
|
@sock.connect
|
||||||
|
+ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE
|
||||||
|
+ @sock.post_connection_check(@options['Host'])
|
||||||
|
+ end
|
||||||
|
@ssl = true
|
||||||
|
end
|
||||||
|
''
|
||||||
|
diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb
|
||||||
|
--- ruby-1.8.6-p111.orig/lib/net/http.rb 2007-09-24 17:12:24.000000000 +0900
|
||||||
|
+++ ruby-1.8.6-p111/lib/net/http.rb 2007-10-29 21:12:12.000000000 +0900
|
||||||
|
@@ -470,7 +470,6 @@ module Net #:nodoc:
|
||||||
|
@debug_output = nil
|
||||||
|
@use_ssl = false
|
||||||
|
@ssl_context = nil
|
||||||
|
- @enable_post_connection_check = false
|
||||||
|
end
|
||||||
|
|
||||||
|
def inspect
|
||||||
|
@@ -527,9 +526,6 @@ module Net #:nodoc:
|
||||||
|
false # redefined in net/https
|
||||||
|
end
|
||||||
|
|
||||||
|
- # specify enabling SSL server certificate and hostname checking.
|
||||||
|
- attr_accessor :enable_post_connection_check
|
||||||
|
-
|
||||||
|
# Opens TCP connection and HTTP session.
|
||||||
|
#
|
||||||
|
# When this method is called with block, gives a HTTP object
|
||||||
|
@@ -589,12 +585,7 @@ module Net #:nodoc:
|
||||||
|
end
|
||||||
|
s.connect
|
||||||
|
if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
|
||||||
|
- begin
|
||||||
|
- s.post_connection_check(@address)
|
||||||
|
- rescue OpenSSL::SSL::SSLError => ex
|
||||||
|
- raise ex if @enable_post_connection_check
|
||||||
|
- warn ex.message
|
||||||
|
- end
|
||||||
|
+ s.post_connection_check(@address)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
on_connect
|
||||||
|
diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb
|
||||||
|
--- ruby-1.8.6-p111.orig/lib/net/imap.rb 2007-08-22 08:28:09.000000000 +0900
|
||||||
|
+++ ruby-1.8.6-p111/lib/net/imap.rb 2007-10-29 21:14:38.000000000 +0900
|
||||||
|
@@ -900,6 +900,7 @@ module Net
|
||||||
|
end
|
||||||
|
@sock = SSLSocket.new(@sock, context)
|
||||||
|
@sock.connect # start ssl session.
|
||||||
|
+ @sock.post_connection_check(@host) if verify
|
||||||
|
else
|
||||||
|
@usessl = false
|
||||||
|
end
|
||||||
|
diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb
|
||||||
|
--- ruby-1.8.6-p111.orig/lib/open-uri.rb 2007-09-24 17:12:24.000000000 +0900
|
||||||
|
+++ ruby-1.8.6-p111/lib/open-uri.rb 2007-10-29 21:16:03.000000000 +0900
|
||||||
|
@@ -229,7 +229,6 @@ module OpenURI
|
||||||
|
if target.class == URI::HTTPS
|
||||||
|
require 'net/https'
|
||||||
|
http.use_ssl = true
|
||||||
|
- http.enable_post_connection_check = true
|
||||||
|
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
||||||
|
store = OpenSSL::X509::Store.new
|
||||||
|
store.set_default_paths
|
28
ruby.spec
28
ruby.spec
@ -1,7 +1,7 @@
|
|||||||
%define manver 1.4.6
|
%define manver 1.4.6
|
||||||
%define rubyxver 1.8
|
%define rubyxver 1.8
|
||||||
%define rubyver 1.8.6
|
%define rubyver 1.8.6
|
||||||
%define _patchlevel 110
|
%define _patchlevel 111
|
||||||
%define dotpatchlevel %{?_patchlevel:.%{_patchlevel}}
|
%define dotpatchlevel %{?_patchlevel:.%{_patchlevel}}
|
||||||
%define patchlevel %{?_patchlevel:-p%{_patchlevel}}
|
%define patchlevel %{?_patchlevel:-p%{_patchlevel}}
|
||||||
%define sitedir %{_libdir}/ruby/site_ruby
|
%define sitedir %{_libdir}/ruby/site_ruby
|
||||||
@ -11,7 +11,7 @@
|
|||||||
|
|
||||||
Name: ruby
|
Name: ruby
|
||||||
Version: %{rubyver}%{?dotpatchlevel}
|
Version: %{rubyver}%{?dotpatchlevel}
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
License: Ruby or GPL+
|
License: Ruby or GPL+
|
||||||
URL: http://www.ruby-lang.org/
|
URL: http://www.ruby-lang.org/
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
@ -36,7 +36,7 @@ Patch20: ruby-rubyprefix.patch
|
|||||||
Patch21: ruby-deprecated-sitelib-search-path.patch
|
Patch21: ruby-deprecated-sitelib-search-path.patch
|
||||||
Patch22: ruby-deprecated-search-path.patch
|
Patch22: ruby-deprecated-search-path.patch
|
||||||
Patch23: ruby-multilib.patch
|
Patch23: ruby-multilib.patch
|
||||||
Patch24: ruby-1.8.6-CVE-2007-5162.patch
|
Patch24: ruby-1.8.6.111-CVE-2007-5162.patch
|
||||||
|
|
||||||
Summary: An interpreter of object-oriented scripting language
|
Summary: An interpreter of object-oriented scripting language
|
||||||
Group: Development/Languages
|
Group: Development/Languages
|
||||||
@ -180,10 +180,6 @@ export CFLAGS
|
|||||||
--disable-rpath \
|
--disable-rpath \
|
||||||
--with-ruby-prefix=%{_prefix}/lib
|
--with-ruby-prefix=%{_prefix}/lib
|
||||||
|
|
||||||
%ifarch ppc
|
|
||||||
cp Makefile Makefile.orig
|
|
||||||
sed -e 's/^EXTMK_ARGS[[:space:]].*=\(.*\) --$/EXTMK_ARGS=\1 --disable-tcl-thread --/' Makefile.orig > Makefile
|
|
||||||
%endif
|
|
||||||
make RUBY_INSTALL_NAME=ruby %{?_smp_mflags}
|
make RUBY_INSTALL_NAME=ruby %{?_smp_mflags}
|
||||||
%ifarch ia64
|
%ifarch ia64
|
||||||
# Miscompilation? Buggy code?
|
# Miscompilation? Buggy code?
|
||||||
@ -467,15 +463,29 @@ rm -rf tmp-ruby-docs
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 29 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.111-1
|
||||||
|
- New upstream release.
|
||||||
|
- ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes
|
||||||
|
at trunk to enable the fix without any modifications on the users' scripts.
|
||||||
|
Note that Net::HTTP#enable_post_connection_check isn't available anymore.
|
||||||
|
If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE
|
||||||
|
to Net::HTTP#verify_mode= instead of.
|
||||||
|
|
||||||
* Mon Oct 15 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.110-2
|
* Mon Oct 15 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.110-2
|
||||||
- Enable pthread support for ppc too. (#201452)
|
- Enable pthread support for ppc too. (#201452)
|
||||||
- Fix unexpected dependencies appears in ruby-libs. (#253325)
|
- Fix unexpected dependencies appears in ruby-libs. (#253325)
|
||||||
|
|
||||||
* Thu Oct 4 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.110-1
|
* Wed Oct 10 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.110-1
|
||||||
- New upstream release.
|
- New upstream release.
|
||||||
- ruby-r12567.patch: removed.
|
- ruby-r12567.patch: removed.
|
||||||
- ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is
|
- ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is
|
||||||
insufficient verification of SSL certificate. (#313791)
|
insufficient verification of SSL certificate.
|
||||||
|
|
||||||
|
* Thu Aug 23 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.36-4
|
||||||
|
- Rebuild
|
||||||
|
|
||||||
|
* Fri Aug 10 2007 Akira TAGOH <tagoh@redhat.com>
|
||||||
|
- Update License tag.
|
||||||
|
|
||||||
* Mon Jul 25 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.36-3
|
* Mon Jul 25 2007 Akira TAGOH <tagoh@redhat.com> - 1.8.6.36-3
|
||||||
- ruby-r12567.patch: backport patch from upstream svn to get rid of
|
- ruby-r12567.patch: backport patch from upstream svn to get rid of
|
||||||
|
2
sources
2
sources
@ -2,4 +2,4 @@
|
|||||||
d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz
|
d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz
|
||||||
7f3e181c0be9a1579e43a5a8b26372d6 rubyfaq-990927.tar.bz2
|
7f3e181c0be9a1579e43a5a8b26372d6 rubyfaq-990927.tar.bz2
|
||||||
8aa2e2da327dc43ff6e46e634eb657b6 rubyfaq-jp-990927.tar.bz2
|
8aa2e2da327dc43ff6e46e634eb657b6 rubyfaq-jp-990927.tar.bz2
|
||||||
39cbf0cc610e636983cb3311bef3f2d0 ruby-1.8.6-p110.tar.bz2
|
e1d38b7d4f1be55726d6927a3395ce3b ruby-1.8.6-p111.tar.bz2
|
||||||
|
Loading…
Reference in New Issue
Block a user