[Frugalware-darcs] frugalware-0.6: ruby-1.8.5-4terminus2-i686

voroskoi voroskoi at frugalware.org
Fri Oct 5 12:05:19 CEST 2007


Darcsweb-Url: http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20071005094601-dd049-dbc13306096f7afa2acc26d2eb9c2f981cccfc2b.gz;

[ruby-1.8.5-4terminus2-i686
voroskoi <voroskoi at frugalware.org>**20071005094601
 secfix relbump, closes #2459
] {
addfile ./source/devel/ruby/CVE-2007-5162.diff
hunk ./source/devel/ruby/CVE-2007-5162.diff 1
+--- ruby_1_8_5/lib/net/http.rb	2007/09/24 07:55:41	13501
++++ ruby_1_8_5/lib/net/http.rb	2007/09/24 08:02:31	13502
+@@ -470,6 +470,7 @@
+       @debug_output = nil
+       @use_ssl = false
+       @ssl_context = nil
++      @enable_post_connection_check = false
+     end
+ 
+     def inspect
+@@ -526,6 +527,9 @@
+       false   # redefined in net/https
+     end
+ 
++    # specify enabling SSL server certificate and hostname checking.
++    attr_accessor :enable_post_connection_check
++
+     # Opens TCP connection and HTTP session.
+     # 
+     # When this method is called with block, gives a HTTP object
+@@ -584,6 +588,14 @@
+           HTTPResponse.read_new(@socket).value
+         end
+         s.connect
++        if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
++          begin
++            s.post_connection_check(@address)
++          rescue OpenSSL::SSL::SSLError => ex
++            raise ex if @enable_post_connection_check
++            warn ex.message
++          end
++        end
+       end
+       on_connect
+     end
+--- ruby_1_8_5/lib/open-uri.rb	2007/09/24 07:55:41	13501
++++ ruby_1_8_5/lib/open-uri.rb	2007/09/24 08:02:31	13502
+@@ -229,6 +229,7 @@
+     if target.class == URI::HTTPS
+       require 'net/https'
+       http.use_ssl = true
++      http.enable_post_connection_check = true
+       http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+       store = OpenSSL::X509::Store.new
+       store.set_default_paths
+@@ -240,16 +241,6 @@
+ 
+     resp = nil
+     http.start {
+-      if target.class == URI::HTTPS
+-        # xxx: information hiding violation
+-        sock = http.instance_variable_get(:@socket)
+-        if sock.respond_to?(:io)
+-          sock = sock.io # 1.9
+-        else
+-          sock = sock.instance_variable_get(:@socket) # 1.8
+-        end
+-        sock.post_connection_check(target_host)
+-      end
+       req = Net::HTTP::Get.new(request_uri, header)
+       if options.include? :http_basic_authentication
+         user, pass = options[:http_basic_authentication]
+--- ruby_1_8_5/ext/openssl/lib/openssl/ssl.rb	2007/09/24 07:55:41	13501
++++ ruby_1_8_5/ext/openssl/lib/openssl/ssl.rb	2007/09/24 08:02:31	13502
+@@ -88,7 +88,7 @@
+             end
+           }
+         end
+-        raise SSLError, "hostname not match"
++        raise SSLError, "hostname was not match with the server certificate"
+       end
+     end
+ 
hunk ./source/devel/ruby/FrugalBuild 6
-pkgrel=4terminus1
+pkgrel=4terminus2
hunk ./source/devel/ruby/FrugalBuild 14
-source=(ftp://ftp.ruby-lang.org/pub/ruby/ruby-$pkgver.tar.gz CVE-2006-5467.patch)
+source=(ftp://ftp.ruby-lang.org/pub/ruby/ruby-$pkgver.tar.gz CVE-2006-5467.patch CVE-2007-5162.diff)
hunk ./source/devel/ruby/FrugalBuild 16
-	  '0699e71e4f85a91e927eaa84830de44c9d578828')
+          '0699e71e4f85a91e927eaa84830de44c9d578828' \
+          'f298a3da2e62eea703934e131cc759cfcda4812b')
}


More information about the Frugalware-darcs mailing list