A 'mandatory' security patch has been released. Ebuilds should be updated too. More info: http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
Ruby, please provide fixed ebuilds, thanks.
It's in portage as rails-1.1.5 Also affects (and now in portage): actionmailer-1.2.4 actionpack-1.12.4 actionwebservice-1.1.5 activerecord-1.14.4 does NOT affect: activesupport-1.3.1 I suppose we need arches to mark stable sooner than later; I'd like them to test and make sure the install goes okay for everyone (worked fine here). According to the site the differences between 1.1.4 and 1.1.5 are minimal save for the security stuff. I hope that's right.
arches, please test and stable rails-1.1.5, thank you
... and of course also the other packages as mentioned in comment #2 sorry
ppc stable
I get a digest failure on actionpack-1.12.4: >>> checking actionpack-1.12.4.gem !!! Digest verification failed: !!! /usr/portage/distfiles/actionpack-1.12.4.gem !!! Reason: Filesize does not match recorded size !!! Got: 530432 !!! Expected: 529920 Other than that this is good to go on amd64. emerge --info Portage 2.1-r1 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-suspend2-r3-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.17-suspend2-r3-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.6.15 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LINGUAS="de" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa arts avi berkdb bitmap-fonts cli crypt cups dlloader dri eds emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6 isdnlog jpeg kde kdeenablefinal lzw lzw-tiff mp3 mpeg ncurses nls nptl opengl pam pcre pdflib perl png pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd tiff truetype-fonts type1-fonts unicode usb userlocales xorg xpm xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux linguas_de userland_GNU video_cards_dummy" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
of course, they changed the .gem after the announcement... argh
I recommitted the new digest. I hope mirroring doesn't cause major breakage.
amd64 stable.
x86 stable, I didnt' find any rubies..who stole them all ?
Rerating as I doubt this will be more than a B1.
Some real info on the problem (upstream-- for their security by obscurity approach). http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html
All stable on sparc. Notes: 1. sparc tests used lighttpd; 2. script/server (for testing connections from local & remote) generates a lot of annoying 'method redefined' warnings; 3. Test system is running ruby-1.8.4-r3
BTW, 1.1.5 is now obsolete, 1.1.6 has been released today.
yeah, but as of now I'm not able to download the gems so I can't do updates in portage yet.
ok, gems now available. all have been bumped accordingly, and I left the already stable arches alone since the diff between 1.1.5 and 1.1.6 was basically trivial. so we're waiting on ia64 and the bsd folks.
http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure says upgrade to 1.1.6 is security related. According to http://www.ruby-forum.com/topic/76671 calling urls such as http://127.0.0.1:3000/builder/blankslate http://127.0.0.1:3000/active_support/dependencies on 1.1.5 will cause all subsequent requests to fail. All of this was not tested by myself so YMMV.
1.1.6 is the new fixed version. It is already in Portage and stable as per comment #16.
I will delete the offending versions from portage sometime today (that's 1.1.0 through 1.1.5)
GLSA 200608-20 sent
