File rubygem-actionpack-6.1.changes of Package rubygem-actionpack-6.1
-------------------------------------------------------------------
Mon Nov 4 15:56:28 UTC 2024 - Dan Čermák <dan.cermak@posteo.net>
- ## Rails 6.1.7.10 (October 23, 2024) ##
* No changes.
## Rails 6.1.7.9 (October 15, 2024) ##
* Avoid regex backtracking in HTTP Token authentication
[CVE-2024-47887]
* Avoid regex backtracking in query parameter filtering
[CVE-2024-41128]
-------------------------------------------------------------------
Fri Jun 21 09:12:04 UTC 2024 - Dan Čermák <dan.cermak@posteo.net>
- ## Rails 6.1.7.8 (June 04, 2024) ##
* Include the HTTP Permissions-Policy on non-HTML Content-Types
[CVE-2024-28103]
## Rails 6.1.7.7 (February 21, 2024) ##
* No changes.
-------------------------------------------------------------------
Thu Nov 2 15:31:41 UTC 2023 - Dan Čermák <dan.cermak@posteo.net>
- ## Rails 6.1.7.6 (August 22, 2023) ##
* No changes.
## Rails 6.1.7.5 (August 22, 2023) ##
* No changes.
## Rails 6.1.7.4 (June 26, 2023) ##
* Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]
*Zack Deveau*
## Rails 6.1.7.3 (March 13, 2023) ##
* No changes.
## Rails 6.1.7.2 (January 24, 2023) ##
* Fix `domain: :all` for two letter TLD
This fixes a compatibility issue introduced in our previous security
release when using `domain: :all` with a two letter but single level top
level domain domain (like `.ca`, rather than `.co.uk`).
## Rails 6.1.7.1 (January 17, 2023) ##
* Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
* Use string#split instead of regex for domain parts
[CVE-2023-22792]
-------------------------------------------------------------------
Mon Oct 10 12:51:45 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 6.1.7
see installed CHANGELOG.md
## Rails 6.1.7 (September 09, 2022) ##
* No changes.
-------------------------------------------------------------------
Thu Aug 4 12:49:55 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 6.1.6.1
see installed CHANGELOG.md
## Rails 6.1.6.1 (July 12, 2022) ##
* No changes.
-------------------------------------------------------------------
Thu Apr 28 05:08:46 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 6.1.5.1
see installed CHANGELOG.md
## Rails 6.1.5.1 (April 26, 2022) ##
* Allow Content Security Policy DSL to generate for API responses.
*Tim Wade*
## Rails 6.1.5 (March 09, 2022) ##
* Fix `content_security_policy` returning invalid directives.
Directives such as `self`, `unsafe-eval` and few others were not
single quoted when the directive was the result of calling a lambda
returning an array.
```ruby
content_security_policy do |policy|
policy.frame_ancestors lambda { [:self, "https://example.com"] }
end
```
With this fix the policy generated from above will now be valid.
*Edouard Chin*
* Update `HostAuthorization` middleware to render debug info only
when `config.consider_all_requests_local` is set to true.
Also, blocked host info is always logged with level `error`.
Fixes #42813.
*Nikita Vyrko*
* Dup arrays that get "converted".
Fixes #43681.
*Aaron Patterson*
* Don't show deprecation warning for equal paths.
*Anton Rieder*
* Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
Fixes #43094.
*Alex Ghiculescu*
* Add fallback host for SystemTestCase driven by RackTest.
Fixes #42780.
*Petrik de Heus*
* Add more detail about what hosts are allowed.
*Alex Ghiculescu*
## Rails 6.1.4.7 (March 08, 2022) ##
* No changes.
-------------------------------------------------------------------
Tue Feb 15 07:07:00 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 6.1.4.6
see installed CHANGELOG.md
## Rails 6.1.4.6 (February 11, 2022) ##
* No changes.
## Rails 6.1.4.5 (February 11, 2022) ##
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request
[CVE-2022-23633]
-------------------------------------------------------------------
Tue Jan 25 06:19:37 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 6.1.4.4
see installed CHANGELOG.md
## Rails 6.1.4.4 (December 15, 2021) ##
* Fix issue with host protection not allowing host with port in development.
## Rails 6.1.4.3 (December 14, 2021) ##
* Fix issue with host protection not allowing localhost in development.
## Rails 6.1.4.2 (December 14, 2021) ##
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
-------------------------------------------------------------------
Wed Aug 25 04:58:50 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 6.1.4.1
* [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
Specially crafted "X-Forwarded-Host" headers in combination with certain
"allowed host" formats can cause the Host Authorization middleware in Action
Pack to redirect users to a malicious website.
-------------------------------------------------------------------
Fri Jul 9 12:23:16 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 6.1.4
* Ignore file fixtures on `db:fixtures:load`
*Kevin Sjöberg*
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
*Dylan Thacker-Smith*
* Correctly place optional path parameter booleans.
Previously, if you specify a url parameter that is part of the path as false it would include that part
of the path as parameter for example:
```
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
things_path(optional_id: false) # => /things?optional_id=false
```
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
```
get '(this/:my_bool)/that' as: :that
that_path(my_bool: true) # => `/this/true/that`
that_path(my_bool: false) # => `/this/false/that`
```
*Adam Hess*
* Add support for 'private, no-store' Cache-Control headers.
Previously, 'no-store' was exclusive; no other directives could be specified.
*Alex Smith*
-------------------------------------------------------------------
Fri May 14 15:53:21 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 6.1.3.2
* Prevent open redirects by correctly escaping the host allow list
CVE-2021-22903
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
-------------------------------------------------------------------
Tue Apr 20 12:55:56 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 6.1.3.1
* no changes
-------------------------------------------------------------------
Mon Mar 15 04:08:43 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 6.1.3
* Re-define routes when not set correctly via inheritance.
John Hawthorn
-------------------------------------------------------------------
Mon Feb 15 10:10:40 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 6.1.2.1
## Rails 6.1.2.1 (February 10, 2021) ##
* Prevent open redirect when allowed host starts with a dot
[CVE-2021-22881]
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
issue and the patch!
*Aaron Patterson*
## Rails 6.1.2 (February 09, 2021) ##
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
*Janko Marohnić*
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
*Eugene Kenny*
-------------------------------------------------------------------
Wed Jan 20 07:06:20 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 6.1.1
* Fix nil translation key lookup in controllers/
Jan Klimo
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
Alex Robbin
* Change the request method to a GET when passing failed requests down to config.exceptions_app.
Alex Robbin
-------------------------------------------------------------------
Fri Dec 11 02:41:16 UTC 2020 - Manuel Schnitzer <mschnitzer@suse.com>
- removed build flags for Ruby 2.6 and 2.7 only
We need to have Ruby 2.5 binaries as well.
- removed disable_docs gem2rpm option (not available)
-------------------------------------------------------------------
Wed Dec 9 23:53:04 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- update to version 6.1.0:
https://weblog.rubyonrails.org/2020/12/9/Rails-6-1-0-release/
-------------------------------------------------------------------
Mon Nov 2 23:20:02 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- initial package
