File rubygem-actionpack-2_3.changes of Package rubygem-actionpack-2_3.openSUSE_Evergreen_11.4
-------------------------------------------------------------------
Tue Feb 5 12:27:38 UTC 2013 - lijewski.stefan@gmail.com
- update to 2.3.16 (bnc#800320) CVE-2013-0333
- backporting deep_munge
- removing [nil] from the params
- Do not mark strip_tags result as html_safe
- this obsoletes all our patches:
2-3-null_array_param.patch
2-3-null_param.patch
3-0-strip_tags.patch
- update to 2.3.15: (bnc#796712, bnc#797449, bnc#797452)
- handle missing 'HTTP_X_FORWARDED_FOR'
- added test suite for RCE bug
-------------------------------------------------------------------
Fri Sep 7 18:54:19 UTC 2012 - mrueckert@suse.de
- added 3-0-strip_tags.patch: (bnc#775649)
Do not mark strip_tags result as html_safe CVE-2012-3465
-------------------------------------------------------------------
Wed Jul 18 14:57:18 UTC 2012 - mrueckert@suse.de
- added 2 patches to fix security issues:
2-3-null_param.patch (CVE-2012-2660) (bnc#765097)
2-3-null_array_param.patch (CVE-2012-2694) (bnc#766791)
- track series file from quilt for easier handling
-------------------------------------------------------------------
Wed Aug 17 12:02:42 UTC 2011 - mrueckert@suse.de
- update to version 2.3.14
- fix fixing strip tags vulnerability (bnc#712057)
- fixing response splitting problem (bnc#712058)
-------------------------------------------------------------------
Mon Jun 20 16:27:43 UTC 2011 - mrueckert@suse.de
- update to version 2.3.12
- dont call destroy on a session if it doesnt respond to destroy
- fix session timeout handling
-------------------------------------------------------------------
Wed Feb 16 11:09:20 UTC 2011 - mrueckert@suse.de
- update to version 2.3.11: (bnc#668817)
- XSS Risk in mail_to :encode=>:javascript CVE-2011-0446
- CSRF Bypass Risk CVE-2011-0447
- Filter Problems on Case Insensitive Filesystems CVE-2011-0449
- Potential SQL Injection with limit() CVE-2011-0448
-------------------------------------------------------------------
Mon Jan 17 13:21:21 UTC 2011 - mvidner@suse.cz
- Split off doc and testsuite subpackages.
-------------------------------------------------------------------
Wed Oct 27 11:34:50 UTC 2010 - mrueckert@suse.de
- update to version 2.3.10
* Version bump.
-------------------------------------------------------------------
Sun Sep 5 11:07:19 UTC 2010 - mrueckert@suse.de
- update to version 2.3.9
* Version bump.
-------------------------------------------------------------------
Tue May 25 16:08:12 UTC 2010 - mrueckert@suse.de
- use rubygems_requires macro
-------------------------------------------------------------------
Tue May 25 15:07:19 UTC 2010 - mrueckert@suse.de
- update to version 2.3.8
* HTML safety: fix compatibility *without* the optional rails_xss
plugin.
- additional changes from version 2.3.7
* HTML safety: fix compatibility with the optional rails_xss
plugin. [Nathan Weizenbaum, Santiago Pastorino]
- additional changes from version 2.3.6
* JSON: set Base.include_root_in_json = true to include a root
value in the JSON: {"post": {"title": ...}}. Mirrors the Active
Record option. #2584 [Matthew Moore, Joe Martinez, Elad
Meidar, Santiago Pastorino]
* Ruby 1.9: ERB template encoding using a magic comment at the
top of the file. [Jeremy Kemper] <%# encoding: utf-8 %>
* Fixed that default locale templates should be used if the
current locale template is missing [DHH]
* Fixed that PrototypeHelper#update_page should return html_safe
[DHH]
* Fixed that much of DateHelper wouldn't return html_safe?
strings [DHH]
* Fixed that fragment caching should return a cache hit as
html_safe (or it would all just get escaped) [DHH]
* Introduce String#html_safe for rails_xss plugin and
forward-compatibility with Rails 3. [Michael Koziarski,
Santiago Pastorino, José Ignacio Costa]
* Added :alert, :notice, and :flash as options to
ActionController::Base#redirect_to that'll automatically set
the proper flash before the redirection [DHH].
* Added ActionController::Base#notice/= and
ActionController::Base#alert/= as a convenience accessors in
both the controller and the view for flash[:notice]/= and
flash[:alert]/= [DHH]
* Added cookies.permanent, cookies.signed, and
cookies.permanent.signed accessor for common cookie actions
[DHH].
- removed actionpack-2.3.5_button_to.patch:
included in update
-------------------------------------------------------------------
Thu Feb 18 14:09:24 UTC 2010 - aduffeck@novell.com
- add a patch to fix (bnc#581792):
https://rails.lighthouseapp.com/projects/8994/tickets/3448-button_to-does-not-return-an-html-safe-string
-------------------------------------------------------------------
Fri Jan 15 14:21:37 UTC 2010 - mrueckert@suse.de
- fix requires on rack. gem spec and code disagree with each other.
-------------------------------------------------------------------
Tue Dec 1 18:19:07 UTC 2009 - chris@computersalat.de
- update to version 2.3.5
- Minor Bug Fixes and deprecation warnings
- Ruby 1.9 Support
- Fix filtering parameters when there are Fixnum or other
un-dupable values.
- Improvements to ActionView::TestCase
- Compatiblity with the rails_xss plugin
- removed actionpack-2.3.4_number_to_human_size_fix_eb30c695444b904d7937c8c12c59da9a8c4d60e5.patch:
included in update
-------------------------------------------------------------------
Fri Nov 20 13:53:22 UTC 2009 - mrueckert@suse.de
- added actionpack-2.3.4_number_to_human_size_fix_eb30c695444b904d7937c8c12c59da9a8c4d60e5.patch
fix number_to_human_size (bnc#545720)
-------------------------------------------------------------------
Thu Sep 10 12:03:08 UTC 2009 - adrian@suse.de
- update to version 2.3.4
-------------------------------------------------------------------
Fri Jun 5 16:58:30 CEST 2009 - mrueckert@suse.de
- add rails-2.3.2_http_auth_digest_nil_check.patch:
do not allow authentication with a missing password (bnc#509914)
-------------------------------------------------------------------
Mon Mar 16 20:34:36 CET 2009 - mrueckert@suse.de
- starting package for the rails 2.3 series
-------------------------------------------------------------------