File rubygem-actionpack-4_2.changes of Package rubygem-actionpack-4_2.19565
-------------------------------------------------------------------
Mon May 10 11:13:32 UTC 2021 - Jacek Tomasiak <jtomasiak@suse.com>
- Added patch CVE-2021-22885.patch (CVE-2021-22885, bsc#1185715)
-------------------------------------------------------------------
Wed Mar 31 00:23:52 UTC 2021 - Jacek Tomasiak <jtomasiak@suse.com>
- Add CVE-2019-16782.patch (CVE-2019-16782, bsc#1159548)
-------------------------------------------------------------------
Mon Mar 18 11:05:41 UTC 2019 - Lukas Krause <lukas.krause@suse.com>
- Add CVE-2019-5418_and_CVE-2019-5419.patch (CVE-2019-5418,
CVE-2019-5419, bsc#1129272, bsc#1129271)
* CVE-2019-5418:
There is a possible file content disclosure vulnerability in
Action View. Specially crafted accept headers in combination
with calls to `render file:` can cause arbitrary files on the
target server to be rendered, disclosing the file contents.
* CVE-2019-5419:
Specially crafted accept headers can cause the Action View
template location code to consume 100% CPU, causing the server
unable to process requests. This impacts all Rails applications
that render views.
- Add series file for better patch handling with quilt
-------------------------------------------------------------------
Mon Aug 28 16:08:13 UTC 2017 - rsalevsky@suse.com
- update to version 4.2.9 (bsc#1055962)
* drop CVE-2015-7581.patch, CVE-2016-0752.patch
CVE-2016-0751.patch and CVE-2015-7576.patch as they got merged
upstream
see installed CHANGELOG.md
## Rails 4.2.9 (June 26, 2017) ##
* Use more specific check for :format in route path
The current check for whether to add an optional format to the path is very lax
and will match things like `:format_id` where there are nested resources, e.g:
``` ruby
resources :formats do
resources :items
end
```
Fix this by using a more restrictive regex pattern that looks for the patterns
`(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
allow for multiple closing parenthesis since the route may be of this form:
``` ruby
get "/books(/:action(.:format))", controller: "books"
```
This probably isn't what's intended since it means that the default index action
route doesn't support a format but we have a test for it so we need to allow it.
Fixes #28517.
## Rails 4.2.8 (February 21, 2017) ##
* No changes.
## Rails 4.2.7 (July 12, 2016) ##
* No changes.
## Rails 4.2.6 (March 07, 2016) ##
* No changes.
## Rails 4.2.5.2 (February 26, 2016) ##
* Do not allow render with unpermitted parameter.
Fixes CVE-2016-2098.
## Rails 4.2.5.1 (January 25, 2015) ##
* No changes.
## Rails 4.2.5 (November 12, 2015) ##
* `ActionController::TestCase` can teardown gracefully if an error is raised
early in the `setup` chain.
*Yves Senn*
* Parse RSS/ATOM responses as XML, not HTML.
*Alexander Kaupanin*
* Fix regression in mounted engine named routes generation for app deployed to
a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
"/subdir/subdir/engine_path" instead of "/subdir/engine_path")
Fixes #20920. Fixes #21459.
*Matthew Erhard*
* `url_for` does not modify its arguments when generating polymorphic URLs.
*Bernerd Schaefer*
* Update `ActionController::TestSession#fetch` to behave more like
`ActionDispatch::Request::Session#fetch` when using non-string keys.
*Jeremy Friesen*
## Rails 4.2.4 (August 24, 2015) ##
* ActionController::TestSession now accepts a default value as well as
a block for generating a default value based off the key provided.
This fixes calls to session#fetch in ApplicationController instances that
take more two arguments or a block from raising `ArgumentError: wrong
number of arguments (2 for 1)` when performing controller tests.
*Matthew Gerrior*
* Fix to keep original header instance in `ActionDispatch::SSL`
`ActionDispatch::SSL` changes headers to `Hash`.
So some headers will be broken if there are some middlewares
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
*Fumiaki Matsushima*
## Rails 4.2.3 (June 25, 2015) ##
* Fix rake routes not showing the right format when
nesting multiple routes.
See #18373.
*Ravil Bayramgalin*
* Fix regression where a gzip file response would have a Content-type,
even when it was a 304 status code.
See #19271.
*Kohei Suzuki*
* Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
Previously, an empty X_FORWARDED_HOST header would cause
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
Actiondispatch::Http:URL.host to raise a NoMethodError.
*Adam Forsyth*
* Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
is set, it takes precedence.
Fixes #5122.
*Yasyf Mohamedali*
* Fix regression in functional tests. Responses should have default headers
assigned.
See #18423.
*Jeremy Kemper*, *Yves Senn*
## Rails 4.2.2 (June 16, 2015) ##
* No Changes *
-------------------------------------------------------------------
Tue Jan 26 17:50:43 UTC 2016 - jmassaguerpla@suse.com
- fix bnc#963331 - CVE-2016-0751: rubygem-actionpack: Object Leak DoS
CVE-2016-0751.patch: contains the fix
-------------------------------------------------------------------
Tue Jan 26 17:48:39 UTC 2016 - jmassaguerpla@suse.com
- fix bnc#963335 - CVE-2015-7581: rubygem-actionpack: unbounded
memory growth DoS via wildcard controller routes
CVE-2015-7581.patch: contains the fix
-------------------------------------------------------------------
Tue Jan 26 16:38:33 UTC 2016 - jmassaguerpla@suse.com
- fix bnc#963332 - CVE-2016-0752: rubygem-actionpack,
rubygem-actionview: directory traversal and information leak in
Action View
CVE-2016-0752.patch: contains the security fix
-------------------------------------------------------------------
Tue Jan 26 13:01:25 UTC 2016 - jmassaguerpla@suse.com
- fix CVE-2015-7576: rubygem-actionpack, rubygem-activesupport:
Timing attack vulnerability in basic authentication in Action Controller
CVE-2015-7576.patch: contains the fix (bsc#963329)
-------------------------------------------------------------------
Fri Jul 3 10:17:41 UTC 2015 - jmassaguerpla@suse.com
- update to version 4.2.2, no changes
(updated to match activesupport version)
(bnc#934799 and bnc#934800).
-------------------------------------------------------------------
Sun Mar 22 09:07:28 UTC 2015 - coolo@suse.com
- updated to version 4.2.1, see CHANGELOG.md
-------------------------------------------------------------------
Wed Jan 28 12:29:23 UTC 2015 - adrian@suse.de
- update to 4.2.0
-------------------------------------------------------------------
Mon Jan 19 21:09:53 UTC 2015 - dmueller@suse.com
- update to 4.1.9:
* Fixed handling of positional url helper arguments when `format: false`.
* Restore handling of a bare `Authorization` header, without `token=`
prefix.
* Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass
* Fix a bug where malformed query strings lead to 500.
* Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7829)
* Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7818)
-------------------------------------------------------------------
Mon Nov 10 14:00:03 UTC 2014 - tboerger@suse.com
- To get rails 4 running on SLE 11 i have switched the
rb_build_versions definition to rub21 as it is activated within
devel:languages:ruby. That way we can get running rails 4 on
SLE 11 too.
-------------------------------------------------------------------
Sun Oct 12 16:20:05 UTC 2014 - coolo@suse.com
- updated to version 4.1.6
* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
("Rosetta Flash")
* Because URI paths may contain non US-ASCII characters we need to force
the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
This essentially replicates the functionality of the monkey patch to
URI.parser.unescape in active_support/core_ext/uri.rb.
Fixes #16104.
* Generate shallow paths for all children of shallow resources.
Fixes #15783.
* JSONP responses are now rendered with the `text/javascript` content type
when rendering through a `respond_to` block.
Fixes #15081.
* Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
Fixes #15511.
* ActionController::Parameters#require now accepts `false` values.
Fixes #15685.
-------------------------------------------------------------------
Wed Jul 23 13:26:43 UTC 2014 - mrueckert@suse.com
- - initial package
