Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP (rhbz#1461848).

This commit is contained in:
Vít Ondruch 2017-08-08 11:56:42 +02:00
commit 5ec9eb0eb9
2 changed files with 133 additions and 1 deletions

View file

@ -21,7 +21,7 @@
%endif
%global release 62
%global release 63
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
# The RubyGems library has to stay out of Ruby directory three, since the
@ -126,6 +126,11 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1381527
# https://github.com/ruby/ruby/commit/739782e37a6662fea379e7ef3ec89e851b04b46c
Patch10: ruby-2.3.4-remove-the-encryption-key-initialization.patch
# Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM
# commands in Net::SMTP (CVE-2015-9096).
# https://bugzilla.redhat.com/show_bug.cgi?id=1461848
# https://github.com/ruby/ruby/pull/1647
Patch11: ruby-2.4.0-SMTP-injection-fix.patch
# Do not freeze strings in generated .gemspec. This causes regressions
# and FTBFS in Fedora packages. This is revert of:
# https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae
@ -479,6 +484,7 @@ rm -rf ext/fiddle/libffi*
%patch6 -p1
%patch7 -p1
%patch10 -p1
%patch11 -p1
%patch100 -p1
# Provide an example of usage of the tapset:
@ -969,6 +975,10 @@ make check TESTS="-v $DISABLE_TESTS"
%{ruby_libdir}/tkextlib
%changelog
* Tue Aug 08 2017 Vít Ondruch <vondruch@redhat.com> - 2.3.3-63
- Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM
commands in Net::SMTP (rhbz#1461848).
* Thu Jul 27 2017 Vít Ondruch <vondruch@redhat.com> - 2.3.3-62
- Fix IV Reuse in GCM Mode (rhbz#1381527).