🚨 [security] Update ffi: 1.9.18 → 1.9.25 (patch)
**Welcome to Depfu** 👋
This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.
After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.
[Let us know](mailto:hi@depfu.com) if you have any questions. Thanks so much for giving Depfu a try!
Advisory: CVE-2018-1000201 Disclosed: June 22, 2018 URL: https://github.com/ffi/ffi/releases/tag/1.9.24
ruby-ffi DDL loading issue on Windows OS
ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be
hijacked on Windows OS, when a Symbol is used as DLL name instead of a String
This vulnerability appears to have been fixed in v1.9.24 and later.
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗ ️ ffi (indirect, 1.9.18 → 1.9.25) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 53 commits:
Prepare for release 1.9.25Revert "README: Remove now unnecessary PaX workaround [ci skip]"Revert "Do closures via libffi"Run rspec with dots output onlyFix integer parameter range specsFix several specs where raise_error was called without classSpecify error class for several raise_error callsFix missing C declarations causing compiler warningsReplace symlinks for mips r6 with plain filesUpdate CHANGELOGMerge branch 'master' of github.com:ffi/ffiAdd a CHANGELOG fileBump VERSION to 1.9.24Update libffi to latest changes on masterDon't search in hardcoded paths on WindowsDon't treat Symbol args different to Strings in ffi_libMake sure size_t is defined in Thread.cMerge pull request #601 from wzssyqa/masterBump VERSION to 1.9.23Bump VERSION to 1.9.23.pre1README: Remove now unnecessary PaX workaround [ci skip]Fix wrong path to search for configureUpdate libffi to latest masterFix repeated generation of autoconf filesBump VERSION to 1.9.22Fix failures on MacOS (#617)Merge pull request #540 from forgottenswitch/paxMerge pull request #615 from takkanm/suppress-unused-variable-warningAdd Appveyor badge iconsuppress unused variable warningVarious fixes and more deterinistic gem packaging (#612)Grr.Bump version again while I figure out how to build this thing.Bump version to 1.9.19.Bump rake-compiler-dock dependency to add ruby-2.5 support (#599)update travis for latest ruby versions.Add mips64(eb) support, and mips r6 supportUse kramdown for markdown processing.Upgrade to yard ~> 0.9 to silence Github dependency vulnerability warning.add missing win64 typesoptimise read_string for case if len is nilread_string should not throw an error on length 0Fix typo of mprotect (#586)Do not assume a path to the sh and env binaries (#528)Do closures via libffiUse Ruby implementation for `which` (#315)Added support for Bitmask. (#573)Fix compatibility with PPC64LE platform (#577)Normalize sparc64 to sparcv9. (#575)Add support for MSYS2 (#572)Add support for Sparc64 Linux. (#574)Drop Ruby 1.8.7 support (#480)Use PRIsVALUE shim when not available for Ruby < 2.0 compatibility. (#548)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)