jruby (1.7.26-1+deb9u1) stretch-security; urgency=high * Team upload. * Fix CVE-2018-1000073: Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. * Fix CVE-2018-1000074: possible Unsafe Object Deserialization Vulnerability in gem owner. * Fix CVE-2018-1000075: Strictly interpret octal fields in tar headers to avoid infinite loop * Fix CVE-2018-1000076: Raise a security error when there are duplicate files in a package * Fix CVE-2018-1000077: Enforce URL validation on spec homepage attribute. * Fix CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when displayed via gem server. * Fix CVE-2018-1000079: Directory Traversal vulnerability in gem installation that can result in writing to arbitrary filesystem locations during installation of malicious gems. (Closes: #895778) -- Markus Koschany Sun, 29 Apr 2018 22:24:33 +0200 jruby (1.7.26-1) unstable; urgency=medium * Team upload. [ Miguel Landaeta ] * New upstream release. * Fix FTBFS due to changes introduced in yecht 1.1 and snakeyaml 1.7. (Closes: #821181). * Drop Provides: ruby-interpreter in jruby binary package. (Closes: #839567). * Build with default-jdk now it has finally switched to Java 8. * Bump Standards-Version to 3.9.8. No changes were required. * Use https URLs with Vcs-* fields. * Refresh patches: - Add new patch: + d/patches/0007-Enable-test-suites.patch. + d/patches/0012-Disable-outdated-specs.patch. * Run more unit tests during build time. The suit test spec:ruby:fast is ran from now on. [ Emmanuel Bourg ] * Depend on libasm-java (>= 5.0) instead of libasm4-java. -- Miguel Landaeta Sat, 12 Nov 2016 20:33:13 +0000 jruby (1.7.22-2) unstable; urgency=medium * Build with maven-debian-helper 2. - Simplify packaging. - Avoid occasional FTBFS errors caused by changes in Maven. * Fix an FTBFS caused by some unit tests not working correctly in pbuilder. -- Miguel Landaeta Mon, 28 Dec 2015 17:20:15 -0300 jruby (1.7.22-1) unstable; urgency=medium * New upstream release. * Install jruby-stdlib Maven artifact. (Closes: #792906). - Added a lintian override for codeless-jar warning. * Install jruby-noasm Maven artifact. * Install correct jruby-core Maven artifact. * Install jruby-core-noasm Maven artifact. * Install jruby-complete Maven artifact. * Add B-D on libmaven-install-plugin-java. * Add versioned B-D on maven (>= 3.3~). -- Miguel Landaeta Wed, 16 Sep 2015 21:19:33 -0300 jruby (1.7.21-2) unstable; urgency=high * Fix FTBFS due to Maven 3.3.x changes. (Closes: #792788). * Provide full cryptographic support: - Add Recommends on jruby-openssl. (Closes: #743746). - Add Build-Depends on jruby-openssl for unit tests during build-time. -- Miguel Landaeta Tue, 14 Jul 2015 20:20:23 -0300 jruby (1.7.21-1) unstable; urgency=medium * New upstream release. * Add missing dependencies for jruby binary package. (Closes: #771694). * Add Provides: ruby-interpreter for jruby binary package. -- Miguel Landaeta Wed, 08 Jul 2015 20:59:46 -0300 jruby (1.7.20.1-2) unstable; urgency=medium * Upload to unstable. * Add missing dependencies for jruby binary package. -- Miguel Landaeta Sat, 20 Jun 2015 19:42:50 -0300 jruby (1.7.20.1-1) experimental; urgency=medium * New upstream release. This release updates Rubygems included copy to 2.4.8 in order to address CVE-2015-1855, to resolve some problems with wildcard matching of hostnames. * Add new patch: - 0009-Disable-bigdecimal-divmod-spec-failing-test.patch. -- Miguel Landaeta Thu, 18 Jun 2015 21:34:53 -0300 jruby (1.7.19-1) experimental; urgency=medium * New upstream release. (Closes: #636554, #773131, #750749). * Add /usr/lib/ruby/vendor_ruby to the default $LOAD_PATH. (Closes: #663342). * Switch build system to Maven, upstream doesn't maintain Ant one anymore: - Add B-D on: maven, maven-{debian,repo}-helper and several maven plugins. - Replace cdbs with debhelper. * Enable full testing during build time. * Remove outdated packaging files: - d/dirs, d/links, d/NEWS.Debian and a couple of lintian overrides. * Refresh patches: - Update d/patches/0001-Fix-shebang-lines.patch. - Drop unnecessary patches, some of them were merged at upstream: + d/patches/0004-replace-bundled-libraries.patch + d/patches/0005-ignore-test-failures.patch + d/patches/0006-do-not-build-InvokeDynamicSupport.java.patch + d/patches/0007-use-unversioned-jarjar.jar.patch + d/patches/0008-CVE-2011-4838.patch + d/patches/0009-CVE-2012-5370.patch + d/patches/0010-jruby-Set-FD_CLOEXEC-correctly-using-F_SETFD-not-F_S.patch + d/patches/0011-java7-compat.patch + d/patches/0012-nailgun.patch * Update Uploaders list: - Remove Sebastien Delafond. Thanks for your work on this package! - Remove Torsten Werner. Thanks for your work on this package! - Add Tim Potter. Welcome aboard! * Update d/watch file. * Update d/README.Debian file. * Add get-orig-source target to d/rules. * Update Build-Depends: - Replace dependency on openjdk-7-jdk with openjdk-8-jdk. Otherwise jruby will not even compile. - Replace libjaffl-java with libjnr-ffi-java. - Replace libjline-java with libjline2-java. - Update to libyecht-java to (>= 1.0~). - Update to nailgun (>= 0.9.1~). - Update to bytelist (>= 1.0.12~). - Update to jffi (>= 1.2.7~). - Update to jnr-posix (>= 3.0.9~). - Add libyaml-snake-java. - Add libinvokebinder-java. - Replace libasm3-java with libasm4-java. - Add libjnr-x86asm-java. - Update libjnr-netdb-java to (>= 1.1.4~). - Add liblivetribe-jsr223-java. - Add ruby-rspec and ruby-minitest. - Add locales-all. * Update copyright file. * Remove unnecessary preinst and postinst scripts. * Update package description. * Ship a copy of jquery library since the source package contains a minified copy. This is to avoid lintian warnings, during build time a link symbolic to libjs-jquery is deployed. -- Miguel Landaeta Sun, 31 May 2015 19:37:41 -0300 jruby (1.5.6-10) unstable; urgency=medium * Add myself to Uploaders list. * Replace dependency on libconstantine-java with libjnr-constants-java. * Refresh patches: - d/p/0003-do-not-install-gems.patch. - d/p/0004-replace-bundled-libraries.patch. - d/p/0012-nailgun.patch. -- Miguel Landaeta Sat, 02 May 2015 17:37:51 -0300 jruby (1.5.6-9) unstable; urgency=medium * Team upload. * Build-depend on openjdk-7-jdk >= 7u71-2.5.3 (closes: #759947). This version restores the "apt" tool. - Thank you to Michael Gilbert for the patch. -- tony mancill Sat, 01 Nov 2014 19:55:32 -0700 jruby (1.5.6-8) unstable; urgency=medium [ tony mancill ] * Team upload. * Recommend "ri" instead of "ri1.8" (ruby interpreter) * Use DH9 instead of version 6. * Rebuild against a non-broken joda-time. (Closes: #729171) * Bump Standards-Version to 3.9.6 (no changes). [ Emmanuel Bourg ] * Removed the build dependency on libemma-java -- tony mancill Mon, 27 Oct 2014 23:27:54 -0700 jruby (1.5.6-7) unstable; urgency=low * Team upload. * Provide maven artifacts. (Closes: #737424). -- Miguel Landaeta Sun, 02 Feb 2014 21:37:46 -0300 jruby (1.5.6-6) unstable; urgency=low * Team upload. [ tony mancill ] * Apply patch to set FD_CLOEXEC correctly using F_SETFD not F_SETFL. - Thank you to Guillem Jover. (Closes: #696283) [ gregor herrmann ] * Apply all changes from the Ubuntu package: - Depend on default-jre. - Add patch 0011-java7-compat.patch. Fix build issue with OpenJDK 7. Thanks, Julian Taylor. - Add patch 0012-nailgun.patch. Use unversioned nailgun.jar. Thanks, Julian Taylor. Change re the Ubuntu version: nailgun.jar instead of nailgun-0.9.0.jar. (Closes: #713159) * debian/control: use canonical URLs for Vcs-*. * Declare compliance with Debian Policy 3.9.5. -- gregor herrmann Fri, 01 Nov 2013 17:55:29 +0100 jruby (1.5.6-5) unstable; urgency=medium * Team upload. * Add patch for CVE-2012-5370: Use PerlHash instead of MurmurHash (that is vulnerable to DoS attacks). (Closes: #694694) [Patch adapted from 5e4aab28 upstream] -- Martin Quinson Tue, 11 Dec 2012 21:22:36 +0100 jruby (1.5.6-4) unstable; urgency=medium * Team upload. * Add patch for CVE-2011-4838 (Closes: #686867) - Thanks to Moritz Muehlenhoff -- tony mancill Thu, 20 Sep 2012 13:36:31 -0700 jruby (1.5.6-3) unstable; urgency=low [Miguel Landaeta] * Team upload. * Switch to default-jdk. (Closes: #655823). [tony mancill] * Bump Standards-Version to 3.9.2 (no changes). * Address lintian warning in d/copyright (update path to GPL-2). -- Miguel Landaeta Sat, 14 Jan 2012 14:13:54 -0430 jruby (1.5.6-2) unstable; urgency=high * Add workaround for strange dpkg-source error. (Closes: #643516) -- Torsten Werner Tue, 04 Oct 2011 22:24:31 +0200 jruby (1.5.6-1) unstable; urgency=low * New upstream version (Closes: #636554) * Document licenses and copyright holders of code in jruby-launcher-1.0.3-java.gem. * Change debian/watch to read tags from github. Remove get-orig-source target from debian/rules because we mirror the github repo in our repo. * Use cdbs to build the package. -- Torsten Werner Tue, 20 Sep 2011 21:17:04 +0200 jruby (1.5.1+dfsg4-2) unstable; urgency=low * Use yecht-ruby.jar for building. -- Torsten Werner Sun, 18 Sep 2011 19:24:44 +0200 jruby (1.5.1+dfsg4-1) unstable; urgency=low * Remove bundled yecht.jar from orig tarball. * Move package to main. -- Torsten Werner Sun, 18 Sep 2011 00:01:11 +0200 jruby (1.5.1+dfsg3-1) unstable; urgency=low * Remove bundled jnr-netdb.jar from orig tarball. * Add Depends: libjffi-jni. -- Torsten Werner Sat, 17 Sep 2011 17:34:12 +0200 jruby (1.5.1+dfsg2-1) experimental; urgency=low * Remove bundled jnr-posix.jar from orig tarball. -- Torsten Werner Wed, 14 Sep 2011 20:32:31 +0200 jruby (1.5.1+dfsg1-1) experimental; urgency=low * Replace more prebuilt jars by Build-Depends. * Modify 0002-jruby_home-is-at-a-specific-location-on-Debian.patch to avoid test failures. * Add get-orig-source target. * Clean more files in clean target. * Clean up debian/copyright. * Do not build InvokeDynamicSupport.java because it requires some backport (jsr292-mock.jar) from Java7. * Replace rdocs by a symlink and add Recommends: ri1.8. * Add a patch for the unversioned jarjar.jar. -- Torsten Werner Tue, 13 Sep 2011 22:43:35 +0200 jruby (1.5.1-1) unstable; urgency=low [ Hideki Yamane ] * use already packaged jar files to build jruby. add "Build-Depends: libasm3-java, libcommons-logging-java, libjarjar-java, libjoda-time-java, junit4, libemma-java, libbsf-java, libjline-java, bnd, libconstantine-java" (Closes: #581390) [ Torsten Werner ] * New upstream release * Changed Maintainer to pkg-java-maintainers with the agreement of Sebastien. * Add Sebastien and myself to the Uploaders list. * Add Vcs headers to debian/control. * Remove bin/jruby in clean target. * Convert patches to dep3 format. * Remove unneeded jar files from orig tarball. * Define JAVA_HOME and set it to default-java. * Run tests during build. - Upgrade Build-Depends: ant to ant-optional. - Add Build-Depends: netbase. - Add a patch to ignore test failures. - Set CLASSPATH=/usr/share/java/junit4.jar in debian/rules. -- Torsten Werner Fri, 30 Jul 2010 03:07:08 +0200 jruby (1.5.0~rc3-1) unstable; urgency=low * New upstream release (Closes: #581360). -- Sebastien Delafond Wed, 12 May 2010 15:56:25 +0200 jruby (1.5.0~rc1-1) unstable; urgency=low * New upstream release candidate. * Moved to 4.0 (quilt) source format. * Updated watch file. * Bumped-up Standards-Version. -- Sebastien Delafond Tue, 20 Apr 2010 18:01:51 +0200 jruby (1.4.0-2) unstable; urgency=low * Make sure we're comptaible with a 1.5 JRE (Closes: #563028); thanks to Shyamal Prasad for the patch. -- Sebastien Delafond Mon, 11 Jan 2010 14:44:34 +0100 jruby (1.4.0-1) unstable; urgency=low * New upstream release. * Updated watch file. * Updated copyright file to reflect addition of new third-party jars. -- Sebastien Delafond Thu, 10 Dec 2009 12:34:42 +0100 jruby (1.3.1-2) unstable; urgency=low * Moving to non-free, with detailed debian/copyright (Closes: #551618). * Got rid of jruby alternatives as provided by older jruby1.x. -- Sebastien Delafond Wed, 09 Dec 2009 17:30:55 +0100 jruby (1.3.1-1) unstable; urgency=low * First release (Closes: #548734). * Move to non-free (See #527977). -- Sebastien Delafond Mon, 19 Oct 2009 15:41:51 +0200