🚨 [security] Update ffi: 1.9.18 → 1.9.25 (patch)
**Welcome to Depfu** 👋
This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.
After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.
[Let us know](mailto:hi@depfu.com) if you have any questions. Thanks so much for giving Depfu a try!
Advisory: CVE-2018-1000201 Disclosed: June 22, 2018 URL: https://github.com/ffi/ffi/releases/tag/1.9.24
ruby-ffi DDL loading issue on Windows OS
ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be
hijacked on Windows OS, when a Symbol is used as DLL name instead of a String
This vulnerability appears to have been fixed in v1.9.24 and later.
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗ ️ ffi (indirect, 1.9.18 → 1.9.25) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 53 commits:
Prepare for release 1.9.25
Revert "README: Remove now unnecessary PaX workaround [ci skip]"
Revert "Do closures via libffi"
Run rspec with dots output only
Fix integer parameter range specs
Fix several specs where raise_error was called without class
Specify error class for several raise_error calls
Fix missing C declarations causing compiler warnings
Replace symlinks for mips r6 with plain files
Update CHANGELOG
Merge branch 'master' of github.com:ffi/ffi
Add a CHANGELOG file
Bump VERSION to 1.9.24
Update libffi to latest changes on master
Don't search in hardcoded paths on Windows
Don't treat Symbol args different to Strings in ffi_lib
Make sure size_t is defined in Thread.c
Merge pull request #601 from wzssyqa/master
Bump VERSION to 1.9.23
Bump VERSION to 1.9.23.pre1
README: Remove now unnecessary PaX workaround [ci skip]
Fix wrong path to search for configure
Update libffi to latest master
Fix repeated generation of autoconf files
Bump VERSION to 1.9.22
Fix failures on MacOS (#617)
Merge pull request #540 from forgottenswitch/pax
Merge pull request #615 from takkanm/suppress-unused-variable-warning
Add Appveyor badge icon
suppress unused variable warning
Various fixes and more deterinistic gem packaging (#612)
Grr.
Bump version again while I figure out how to build this thing.
Bump version to 1.9.19.
Bump rake-compiler-dock dependency to add ruby-2.5 support (#599)
update travis for latest ruby versions.
Add mips64(eb) support, and mips r6 support
Use kramdown for markdown processing.
Upgrade to yard ~> 0.9 to silence Github dependency vulnerability warning.
add missing win64 types
optimise read_string for case if len is nil
read_string should not throw an error on length 0
Fix typo of mprotect (#586)
Do not assume a path to the sh and env binaries (#528)
Do closures via libffi
Use Ruby implementation for `which` (#315)
Added support for Bitmask. (#573)
Fix compatibility with PPC64LE platform (#577)
Normalize sparc64 to sparcv9. (#575)
Add support for MSYS2 (#572)
Add support for Sparc64 Linux. (#574)
Drop Ruby 1.8.7 support (#480)
Use PRIsVALUE shim when not available for Ruby < 2.0 compatibility. (#548)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase
.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)