Ruby uses extensions (.so files) that might also depend on other
libraries. When the linker builds an executable, it will refer to the
path it found the library, including those in the stagging dir. However,
when it links a shared library (like ruby exts), it will let that
dependency to be resolved at runtime.
During host and target build, ruby build script runs ruby scripts. When
it loads a ext that depends on another library, it will, by default,
look for the system libraries to satisfy that, breaking the build when
it fails. Setting LD_LIBRARY_PATH to the stagging lib dir is a valid
workaround.
Ruby can also be built statically linking all exts into ruby executable.
That will make the linker point to the stagging library path, fixing the
issue. It was used in the past but, at some point, ruby broke it. Now it
is working as expected.
Closes#20839
While at it, clean up excluded extensions not used by host ruby.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes security fixes. Please check the topics below for
details.
- CVE-2023-28755: ReDoS vulnerability in URI
- CVE-2023-28756: ReDoS vulnerability in Time
See https://github.com/ruby/ruby/releases/tag/v3_2_2 for further details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
LibreSSL 3.5 and later provide and need to use
PEM_write_bio_PrivateKey_traditional()
upstream commit:
e25fb0d0d8b02815271f
Signed-off-by: ZiMing Mo <msylgj@immortalwrt.org>
1. ruby/host build fails on macos due to Apple ld generates warning
if a folder from LDFLAGS is not exist. configure script catches this
warning and fails. This patch disables ld warnings for macos
2. ruby build fails on macos due /bin/true is not exist on macos.
This patch replaces /bin/true with true in OpenWrt Makefile
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
This release fixes some bugs and these vulnerabilities:
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Fixes two CVEs:
CVE-2021-28965: XML round-trip vulnerability in REXML
CVE-2021-28966: Path traversal in Tempfile on Windows
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
This release contains intentional incompatibility. Deprecation warnings are
off by default on 2.7.2 and later. You can turn on deprecation warnings by
specifying the -w or -W:deprecated option at the command-line. Please check
the topics below for details.
* Feature #17000 2.7.2 turns off deprecation warnings by default
* Feature #16345 Don’t emit deprecation warnings by default.
This release contains the new version of webrick with a security fix described in the article.
* CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This activates following extensions:
* io/nonblock
* io/wait
* openssl
* pathname
* ipper
* socket
* zlib
zlib and socket are required for gem so they should be just enabled
because otherwise it does not make sense to provide host gem at all.
The rest of extensions are activated to support compass.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
Bug fixes and a security update of the bundled RubyGems:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Fix only release, including:
* CVE-2018-16396: Tainted flags are not propagated in Array#pack
and String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes some bug fixes and a security fix.
CVE-2017-17405: Command injection vulnerability in Net::FTP
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release contains some security fixes.
CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure in generating JSON
Multiple vulnerabilities in RubyGems
Update bundled libyaml to version 0.1.7.
And many other bugfix.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
There might be no ABI breakage when the first two number
of version are the same.
(No change on generated packages. No need to bumb release)
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
As both LEDE and OpenWrt have STAGING_DIR_HOSTPKG now, we can start to rely
on it. See 73b7f55424 for more information on
STAGING_DIR_HOSTPKG.
STAGING_DIR_HOSTPKG won't actually be changed before the first LEDE release
(it is equivalent to $(STAGING_DIR)/host), so this simple search/replace
cleanup is safe to apply. Doing this cleanup now will be useful for the
Gluon project (an OpenWrt/LEDE based firmware framework) for experimenting
with modifying STAGING_DIR_HOSTPKG before doing this in the LEDE upstream.
Also fixes a typo in the dbus Makefile ("STAGIND_DIR").
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This is a stable feature release.
Notable changes:
- Introduce hash table improvement (by Vladimir Makarov)
- Binding#irb: Start a REPL session similar to binding.pry
- Unify Fixnum and Bignum into Integer
- String supports Unicode case mappings
- Performance improvements
- Thread#report_on_exception and Thread.report_on_exception changes
- Thread deadlock detection now shows threads with their backtrace and dependency
- Support OpenSSL 1.1.0 (drop support for 0.9.7 or prior)
- ext/tk is now removed from stdlib Feature #8539
- XMLRPC is now removed from stdlib Feature #12160
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release contains a bug fix about Refinements and Module#prepend.
The mixture use of Module#refine and Module#prepend to the same Class
could cause unexpected NoMethodError. This is a regression on Ruby 2.3.2
released last week. See [Bug #12920] for details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release contains update of RubyGems 2.5.2 and update of included ssl certificates.
There are many bugfixes too. See the http://svn.ruby-lang.org/repos/ruby/tags/v2_3_2/ChangeLog
for details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
New feature release for ruby.More info:
https://www.ruby-lang.org/en/news/2015/12/25/ruby-2-3-0-released/
Patches changes:
(-) 001-rdoc-remove_gems_dep.patch was merged
(+) 001-acinclude.m4_rename_aclocal.m4.patch backported from upstream.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
ruby subpackages now are generated by a macro. This reduces the
Makefile size by half and the chance of errors.
No change in packages contents, install-size or dependencies, except
for some removed doc files.
Improved ruby_missingfiles and ruby_find_pkgsdeps script
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes a security fix for Fiddle extension.
* CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL
There are also some bugfixes.
In package, now LD_FLAGS is copied to DLD_FLAGS (used by ruby for libraries).
The missing values from LD_FLAGS cause build error when gcc does not implicitly
include staging/usr/lib.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This is a bug and security fix release, including:
- CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier
http://svn.ruby-lang.org/repos/ruby/tags/v2_2_3/ChangeLog
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
libyaml is an optional dep for ruby psych. When missing, it uses
a bundled version of yaml. However, when libyaml is present in
openwrt build, ruby-psych packaging failed with deps not declared.
Now libyaml is configured as a hard dep for ruby-psych.
Also, the tk module was disabled in order to avoid a possible similar
problem if tk+x11 is provided in openwrt build. It was currently not
build because of missing deps.
Other minor changes:
- win32* modules where disabled (avoid err msg, no compile changes)
- Some files where removed in 2.2.x (like gserver.rb). They were already
not packaged but generates a build warning message. Now removed from install.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This is a small ruby release, mainly to fix
CVE-2015-1855: Ruby OpenSSL Hostname Verification
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
For ruby changes since 2.1.x:
https://github.com/ruby/ruby/blob/v2_2_0/NEWS
Relevant changes for OpenWRT:
* all patches for ruby-core where merged upstream and
they are not needed anymore (only rdoc patch remains)
- PR for the rdoc github project was added to the patch header
(https://github.com/rdoc/rdoc/pull/340)
* new package ruby-powerassert for introduced new bundled gem power_assert
* new package ruby-unicodenormalize for Unicode normalization files
* removed ruby-dl as DL was removed after being deprecated
* ruby-{minitest,testunit} where removed from ruby library. Now they
are bundled gems
* test and sample files where removed from gems in order to save resources
and reduce pkgs dependencies
* script ruby_find_pkgsdeps was updated to match upstream changes
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Ruby 2.1.5 has been released.
This release includes a security fix for a DoS vulnerability of REXML.
It is similar to the fixed vulnerability in the previous release, but
new and different from it.
CVE-2014-8090: Another Denial of Service XML Expansion
And, some bug fixes are also included. See tickets and ChangeLog for details.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This release includes security fixes for the following vulnerabilities:
* CVE-2014-8080: Denial of Service XML Expansion
* Changed default settings of ext/openssl related to CVE-2014-3566
And there are some bug-fixes.
Ref: https://www.ruby-lang.org/en/news/2014/10/27/ruby-2-1-4-released/
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Tianling Shen