Permalink
Commits on Sep 24, 2013
  1. Add CVE-2013-4363.txt to rdoc

    drbrain committed Sep 24, 2013
  2. Update version for release

    drbrain committed Sep 24, 2013
  3. Fix CVE-2013-4363, remove regexp backtracking

    The Gem::Version regexp used backtracking to validate gem versions, but
    in a different way than CVE-2013-4287. This could cause excessive CPU
    usage when creating Gem::Version objects including when packaging gems.
    See CVE-2013-4363.txt (in this commit) for details.
    
    See #626
    drbrain committed Sep 24, 2013
Commits on Sep 9, 2013
  1. Newer hoe does not package .travis.yml

    So we can remove it from the Manifest.
    drbrain committed Sep 9, 2013
  2. Update version for release

    drbrain committed Sep 9, 2013
  3. Fix CVE-2013-4287, remove regexp backtracking

    The Gem::Version regexp used backtracking to validate gem versions.
    This could cause excessive CPU usage when creating Gem::Version objects
    including when packaging gems. See CVE-2013-4287.txt (in this commit)
    for details.
    
    Fixes #626
    drbrain committed Sep 9, 2013
Commits on Apr 20, 2012
  1. Update Manifest.txt

    evanphx committed Apr 20, 2012
  2. Remove redundent certs

    evanphx committed Apr 20, 2012
Commits on Apr 19, 2012
  1. Update History.txt

    evanphx committed Apr 19, 2012
  2. Fixed init_with warning by calling into yaml_initialize (for syck) fr…

    …om psych's init_with
    drbrain committed with evanphx Apr 18, 2012
  3. Ported syck_hack reloading from ruby trunk to fix collision between p…

    …sych tests, syck_hack and YAML::ENGINE changes
    drbrain committed with evanphx Apr 18, 2012
  4. Bump to 1.8.23

    evanphx committed Apr 19, 2012
  5. Use mock of Gem::Security::OPT[:trust_dir] (naruse)

    Gem::Security::OPT[:trust_dir] depends Gem.user_home but doesn't reset on setup/teardown.
    NOTE: Gem.user_home won't be recovered now, so teardown doesn't work.
    evanphx committed Apr 19, 2012
  6. Merge branch 'ssl' into 1.8

    evanphx committed Apr 19, 2012
Commits on Apr 17, 2012
  1. Use File.identical? to check if two files are the same. Fixen a test …

    …error on Windows. Patch by usa from ruby-trunk r35337
    drbrain committed with evanphx Apr 17, 2012
  2. Follow the error format changed by FreeBSD 9.

    FreeBSD 8.2's last line is "./configure: Can't open ./configure: No such file or directory\n" but FreeBSD 9's is "cannot open ./configure: No such file or directory\n".
    
    From ruby-trunk r33517 by naruse
    drbrain committed with evanphx Apr 17, 2012
  3. - Add --clear-sources to fetch

    evanphx committed Apr 16, 2012
Commits on Apr 16, 2012
  1. Minor cleanup

    evanphx committed Apr 16, 2012
  2. Insecure connection to SSL repository

    Fixes 2 SSL usage problems of RemoteFetcher.
    - No verification
    - Follows HTTPS -> HTTP redirection
    
    For the first problem, RemoteFetcher must use OpenSSL::SSL::VERIFY_PEER
    instead of VERIFY_NONE.  And to enable SSL verification of
    RemoteFetcher, we need to make trusted CA configurable.  This commit
    adds :ssl_verify_mode and :ssl_ca_cert to Gem::ConfigFile (normally
    .gemrc).  Both configurations are treated as same options in open-uri.
    
    When :ssl_ca_cert is set, only the given path is treated as the trusted
    CA certificate(s).  If it's not set, OpenSSL's default store (sometimes
    configured as /etc/ssl/certs by system) *AND*
    lib/rubygems/ssl_certs/*.pem are trusted.  lib/rubygems/ssl_certs/*.pem
    are shipped to make sure all RubyGems clients can successfully access to
    https://rubygems.org/.
    
    At this moment, RubyGems.org uses 3 SSL servers (https://rubygems.org/,
    https://s3.amazon.com/, and https://d2chzxaqi4y7f8.cloudfront.net/) and
    each SSL certificate needs different root CA certificate.  So
    lib/rubygems/ssl_certs/ directory has 3 CA certificates in it.
    
    For the second problem, this patch let RemoteFetcher raises
    RemoteFetcher::FetchError if a server returns HTTPS -> HTTP redirection.
    Other type of redirection, HTTP -> HTTP, HTTPS -> HTTPS and HTTP ->
    HTTPS are allowed as before like open-uri.rb
    
    The second issue is rather harmless because RemoteFetcher does not send
    Cookie nor Referer to the server (Those resources for HTTPS site must
    not be sent to HTTP site.)  However, by following HTTPS -> HTTP
    redirection, an attacker can inject malicious gem contents into the
    user's environment who expected secure content download from HTTPS site
    by using HTTPS repository.
    nahi committed with evanphx Mar 13, 2012
Commits on Apr 13, 2012
  1. Add .travis.yml to Manifest

    evanphx committed Apr 13, 2012
  2. Bump to 1.8.22

    evanphx committed Apr 13, 2012
Commits on Apr 12, 2012
  1. Workaround for psych/syck YAML date parsing issue

    The format that psych outputs in 1.9.2 isn't readable as a Time object
    by syck's parser, thus it comes through as a String. Since we already do
    some String parsing in date=, we might as well also handle this odd,
    psych only, format.
    evanphx committed Apr 12, 2012
  2. Quiet default warnings about missing spec variables

    This warning currently only shows up at gem install time. Showing them
    by default doesn't help the user because there is no recourse for the
    user. Showing them in verbose mode at least means the user wants to know
    extra info about things.
    
    Additionally, #validate is run at build time so there is no chance of
    creating specs that would warn, so these warnings are ONLY for gems that
    in the wild.
    evanphx committed Apr 12, 2012
Commits on Mar 22, 2012
  1. Bump to 1.8.21

    evanphx committed Mar 22, 2012
  2. Improve release process

    evanphx committed Mar 22, 2012
Commits on Mar 21, 2012
  1. Bump version to 1.8.20

    evanphx committed Mar 21, 2012