From nobody@FreeBSD.org  Mon Dec  4 02:59:23 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B113D16A407
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  4 Dec 2006 02:59:23 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6432943CA3
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  4 Dec 2006 02:58:53 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id kB42xNNC044196
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 4 Dec 2006 02:59:23 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id kB42xNkm044195;
	Mon, 4 Dec 2006 02:59:23 GMT
	(envelope-from nobody)
Message-Id: <200612040259.kB42xNkm044195@www.freebsd.org>
Date: Mon, 4 Dec 2006 02:59:23 GMT
From: UEDA Hiroyuki<bsdmad@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ruby-1.8.5-p2 released
X-Send-Pr-Version: www-3.0

>Number:         106287
>Category:       ports
>Synopsis:       ruby-1.8.5-p2 released
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    stas
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 04 03:00:24 GMT 2006
>Closed-Date:    Mon Dec 04 20:37:11 GMT 2006
>Last-Modified:  Mon Dec  4 20:50:03 GMT 2006
>Originator:     UEDA Hiroyuki
>Release:        6.2-RC1
>Organization:
>Environment:
FreeBSD fb5-stable.netforest.co.jp 6.2-RC1 FreeBSD 6.2-RC1 #25: Mon Nov 20 14:57:59 JST 2006     root@fb5-stable.netforest.co.jp:/usr/obj/usr/src/sys/STABLE  i386
>Description:
Ruby development team has announced that they rleased ruby-1.8.5-p2 because of security vulnerabilities in lib/cgi.rb. You can see the detail with following URL.

http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library

I did sent-pr(http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/105113) and fixed it in current ports, but there is another vulnerability which was not fixed by previous patch.


You can obtain latest tar archive from:

http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
>How-To-Repeat:

>Fix:
For fixing this problem, you need to upgrade 1.8.5-p2.

You can obtain latest release from following URL:

http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->stas 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Mon Dec 4 11:28:01 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106287 
State-Changed-From-To: open->closed 
State-Changed-By: stas 
State-Changed-When: Mon Dec 4 20:37:10 UTC 2006 
State-Changed-Why:  
I've decided to commit the patch for the cgi library instead, as it's 
very small. Thanks for the report! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106287 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/106287: commit references a PR
Date: Mon,  4 Dec 2006 20:44:13 +0000 (UTC)

 stas        2006-12-04 20:33:04 UTC
 
   FreeBSD ports repository
 
   Modified files:
     lang/ruby18          Makefile 
     lang/ruby18/files    patch-lib_cgi.rb 
   Log:
   - Fix an another cgi library vulnerability
   - Bump portrevision
   
   PR:             ports/106287
   Reported by:    UEDA Hiroyuki <bsdmad@gmail.com>
   Obtained from:  ruby cvs
   
   Revision  Changes    Path
   1.121     +1 -1      ports/lang/ruby18/Makefile
   1.2       +28 -3     ports/lang/ruby18/files/patch-lib_cgi.rb
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
