rpms/ruby/F-8 ruby-1.8.6.111-CVE-2007-5162.patch, NONE, 1.1 .cvsignore, 1.21, 1.22 ruby.spec, 1.103, 1.104 sources, 1.20, 1.21 ruby-1.8.6-CVE-2007-5162.patch, 1.1, NONE

Mon Oct 29 12:53:44 UTC 2007

Author: tagoh

Update of /cvs/pkgs/rpms/ruby/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17463

Modified Files:
	.cvsignore ruby.spec sources 
Added Files:
	ruby-1.8.6.111-CVE-2007-5162.patch 
Removed Files:
	ruby-1.8.6-CVE-2007-5162.patch 
Log Message:
* Mon Oct 29 2007 Akira TAGOH <tagoh at redhat.com> - 1.8.6.111-1
- New upstream release.
- ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes
   at trunk to enable the fix without any modifications on the users' scripts.
   Note that Net::HTTP#enable_post_connection_check isn't available anymore.
   If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE
   to Net::HTTP#verify_mode= instead of.

ruby-1.8.6.111-CVE-2007-5162.patch:

--- NEW FILE ruby-1.8.6.111-CVE-2007-5162.patch ---
diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb
--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb	2007-02-13 08:01:19.000000000 +0900
+++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb	2007-10-29 21:10:24.000000000 +0900
@@ -29,13 +29,23 @@ require 'net/ftp'
 
 module Net
   class FTPTLS < FTP
+    def connect(host, port=FTP_PORT)
+       @hostname = host
+       super
+    end
+
     def login(user = "anonymous", passwd = nil, acct = nil)
+       store = OpenSSL::X509::Store.new
+       store.set_default_paths
        ctx = OpenSSL::SSL::SSLContext.new('SSLv23')
+       ctx.cert_store = store
+       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
        ctx.key = nil
        ctx.cert = nil
        voidcmd("AUTH TLS")
        @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
        @sock.connect
+       @sock.post_connection_check(@hostname)
        super(user, passwd, acct)
        voidcmd("PBSZ 0")
     end
diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb
--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb	2007-02-13 08:01:19.000000000 +0900
+++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb	2007-10-29 21:13:03.000000000 +0900
@@ -134,6 +134,9 @@ module Net
             @sock.verify_callback = @options['VerifyCallback']
             @sock.verify_depth    = @options['VerifyDepth']
             @sock.connect
+            if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE
+              @sock.post_connection_check(@options['Host'])
+            end
             @ssl = true
           end
           ''
diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb
--- ruby-1.8.6-p111.orig/lib/net/http.rb	2007-09-24 17:12:24.000000000 +0900
+++ ruby-1.8.6-p111/lib/net/http.rb	2007-10-29 21:12:12.000000000 +0900
@@ -470,7 +470,6 @@ module Net   #:nodoc:
       @debug_output = nil
       @use_ssl = false
       @ssl_context = nil
-      @enable_post_connection_check = false
     end
 
     def inspect
@@ -527,9 +526,6 @@ module Net   #:nodoc:
       false   # redefined in net/https
     end
 
-    # specify enabling SSL server certificate and hostname checking.
-    attr_accessor :enable_post_connection_check
-
     # Opens TCP connection and HTTP session.
     # 
     # When this method is called with block, gives a HTTP object
@@ -589,12 +585,7 @@ module Net   #:nodoc:
         end
         s.connect
         if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
-          begin
-            s.post_connection_check(@address)
-          rescue OpenSSL::SSL::SSLError => ex
-            raise ex if @enable_post_connection_check
-            warn ex.message
-          end
+          s.post_connection_check(@address)
         end
       end
       on_connect
diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb
--- ruby-1.8.6-p111.orig/lib/net/imap.rb	2007-08-22 08:28:09.000000000 +0900
+++ ruby-1.8.6-p111/lib/net/imap.rb	2007-10-29 21:14:38.000000000 +0900
@@ -900,6 +900,7 @@ module Net
         end
         @sock = SSLSocket.new(@sock, context)
         @sock.connect   # start ssl session.
+        @sock.post_connection_check(@host) if verify
       else
         @usessl = false
       end
diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb
--- ruby-1.8.6-p111.orig/lib/open-uri.rb	2007-09-24 17:12:24.000000000 +0900
+++ ruby-1.8.6-p111/lib/open-uri.rb	2007-10-29 21:16:03.000000000 +0900
@@ -229,7 +229,6 @@ module OpenURI
     if target.class == URI::HTTPS
       require 'net/https'
       http.use_ssl = true
-      http.enable_post_connection_check = true
       http.verify_mode = OpenSSL::SSL::VERIFY_PEER
       store = OpenSSL::X509::Store.new
       store.set_default_paths


Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/ruby/F-8/.cvsignore,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- .cvsignore	10 Oct 2007 01:05:17 -0000	1.21
+++ .cvsignore	29 Oct 2007 12:53:12 -0000	1.22
@@ -15,3 +15,4 @@
 ruby-1.8.6.tar.bz2
 ruby-1.8.6-p36.tar.bz2
 ruby-1.8.6-p110.tar.bz2
+ruby-1.8.6-p111.tar.bz2


Index: ruby.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ruby/F-8/ruby.spec,v
retrieving revision 1.103
retrieving revision 1.104
diff -u -r1.103 -r1.104
--- ruby.spec	15 Oct 2007 11:48:04 -0000	1.103
+++ ruby.spec	29 Oct 2007 12:53:12 -0000	1.104
@@ -1,7 +1,7 @@
 %define manver		1.4.6
 %define	rubyxver	1.8
 %define	rubyver		1.8.6
-%define _patchlevel	110
+%define _patchlevel	111
 %define dotpatchlevel	%{?_patchlevel:.%{_patchlevel}}
 %define patchlevel	%{?_patchlevel:-p%{_patchlevel}}
 %define	sitedir		%{_libdir}/ruby/site_ruby
@@ -11,7 +11,7 @@
 
 Name:		ruby
 Version:	%{rubyver}%{?dotpatchlevel}
-Release:	2%{?dist}
+Release:	1%{?dist}
 License:	Ruby or GPL+
 URL:		http://www.ruby-lang.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -36,7 +36,7 @@
 Patch21:	ruby-deprecated-sitelib-search-path.patch
 Patch22:	ruby-deprecated-search-path.patch
 Patch23:	ruby-multilib.patch
-Patch24:	ruby-1.8.6-CVE-2007-5162.patch
+Patch24:	ruby-1.8.6.111-CVE-2007-5162.patch
 
 Summary:	An interpreter of object-oriented scripting language
 Group:		Development/Languages
@@ -180,10 +180,6 @@
   --disable-rpath \
   --with-ruby-prefix=%{_prefix}/lib
 
-%ifarch ppc
-cp Makefile Makefile.orig
-sed -e 's/^EXTMK_ARGS[[:space:]].*=\(.*\) --$/EXTMK_ARGS=\1 --disable-tcl-thread --/' Makefile.orig > Makefile
-%endif
 make RUBY_INSTALL_NAME=ruby %{?_smp_mflags}
 %ifarch ia64
 # Miscompilation? Buggy code?
@@ -467,6 +463,14 @@
 %endif
 
 %changelog
+* Mon Oct 29 2007 Akira TAGOH <tagoh at redhat.com> - 1.8.6.111-1
+- New upstream release.
+- ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes
+   at trunk to enable the fix without any modifications on the users' scripts.
+   Note that Net::HTTP#enable_post_connection_check isn't available anymore.
+   If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE
+   to Net::HTTP#verify_mode= instead of.
+
 * Mon Oct 15 2007 Akira TAGOH <tagoh at redhat.com> - 1.8.6.110-2
 - Enable pthread support for ppc too. (#201452)
 - Fix unexpected dependencies appears in ruby-libs. (#253325)


Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/ruby/F-8/sources,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- sources	10 Oct 2007 01:05:17 -0000	1.20
+++ sources	29 Oct 2007 12:53:12 -0000	1.21
@@ -2,5 +2,4 @@
 d65e3a216d6d345a2a6f1aa8758c2f75  ruby-refm-rdp-1.8.1-ja-html.tar.gz
 7f3e181c0be9a1579e43a5a8b26372d6  rubyfaq-990927.tar.bz2
 8aa2e2da327dc43ff6e46e634eb657b6  rubyfaq-jp-990927.tar.bz2
-eb7f25818cb6993839b38d1f21bd4ea1  ruby-1.8.6-p36.tar.bz2
-39cbf0cc610e636983cb3311bef3f2d0  ruby-1.8.6-p110.tar.bz2
+e1d38b7d4f1be55726d6927a3395ce3b  ruby-1.8.6-p111.tar.bz2


--- ruby-1.8.6-CVE-2007-5162.patch DELETED ---


