File rubygem-actionpack-5_1.changes of Package rubygem-actionpack-5_1.36289
-------------------------------------------------------------------
Wed Oct 30 14:07:44 UTC 2024 - pgajdos@suse.com
- security update
- added patches
fix CVE-2024-47887 [bsc#1231729], Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
+ 0010-CVE-2024-47887.patch
fix CVE-2024-42228 [bsc#1228667], Using uninitialized value *size when calling amdgpu_vce_cs_reloc
+ 0011-CVE-2024-42228.patch
-------------------------------------------------------------------
Wed Jan 10 13:26:14 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
- modified patches
+ 0009-CVE-2020-8166.patch (fixed)
- rubygem-actionpack-5_1-CVE-2020-8166.patch (renamed)
-------------------------------------------------------------------
Mon Oct 9 11:34:52 UTC 2023 - pgajdos@suse.com
- security update
* fix CVE-2020-8166 patch port [bsc#1215707]
-------------------------------------------------------------------
Thu Sep 21 11:17:08 UTC 2023 - pgajdos@suse.com
- security update
- added patches
fix CVE-2020-8166 [bsc#1172182], Ability to forge per-form CSRF tokens given a global CSRF token
+ rubygem-actionpack-5_1-CVE-2020-8166.patch
-------------------------------------------------------------------
Tue Jul 18 13:01:41 UTC 2023 - pgajdos@suse.com
- security update
- added patches
fix CVE-2023-28362 [bsc#1213312], Possible XSS via User Supplied Values to redirect_to
+ 0008-CVE-2023-28362.patch
-------------------------------------------------------------------
Fri Jan 27 10:08:37 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>
- Add patch to fix CVE-2023-22795 (bsc#1207451)
0007-CVE-2023-22795.patch
-------------------------------------------------------------------
Thu Jan 26 17:23:42 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>
- Add patch to fix CVE-2023-22792 (bsc#1207455)
0006-CVE-2023-22792.patch
-------------------------------------------------------------------
Thu Jun 2 12:57:41 UTC 2022 - Manuel Schnitzer <mschnitzer@suse.com>
- Added patch 0005-CVE-2021-22904.patch to fix CVE-2021-22904
(bsc#1185780)
-------------------------------------------------------------------
Wed Jun 1 16:39:21 UTC 2022 - Manuel Schnitzer <mschnitzer@suse.com>
- Added patch 0004-CVE-2022-23633.patch to fix CVE-2022-23633
(bsc#1196182)
-------------------------------------------------------------------
Mon May 10 11:01:41 UTC 2021 - Jacek Tomasiak <jtomasiak@suse.com>
- Added patch 0003-CVE-2021-22885.patch (CVE-2021-22885, bsc#1185715)
-------------------------------------------------------------------
Fri Jul 31 11:10:30 UTC 2020 - Manuel Schnitzer <mschnitzer@suse.com>
- CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack.
There is a strong parameters bypass vector in ActionPack.
(bsc#1172177)
- Added patch 0002-CVE-2020-8164.patch
- Renamed patch CVE-2019-5418_and_CVE-2019-5419.patch to
0001-CVE-2019-5418_and_CVE-2019-5419.patch
-------------------------------------------------------------------
Mon Mar 18 12:46:31 UTC 2019 - Lukas Krause <lukas.krause@suse.com>
- Add CVE-2019-5418_and_CVE-2019-5419.patch (CVE-2019-5418,
CVE-2019-5419, bsc#1129272, bsc#1129271)
* CVE-2019-5418:
There is a possible file content disclosure vulnerability in
Action View. Specially crafted accept headers in combination
with calls to `render file:` can cause arbitrary files on the
target server to be rendered, disclosing the file contents.
* CVE-2019-5419:
Specially crafted accept headers can cause the Action View
template location code to consume 100% CPU, causing the server
unable to process requests. This impacts all Rails applications
that render views.
- Add series file for better patch handling with quilt
-------------------------------------------------------------------
Fri Sep 8 13:37:12 UTC 2017 - enavarro@suse.com
- Update to version 5.1.4
see installed CHANGELOG.md
-------------------------------------------------------------------
Wed Aug 9 07:52:57 UTC 2017 - cbruckmayer@suse.com
- Update to version 5.1.3
-------------------------------------------------------------------
Sat Jun 24 06:15:03 UTC 2017 - adrian@suse.de
- update to version 5.1.1
-------------------------------------------------------------------
Mon Dec 5 15:35:14 UTC 2016 - cbruckmayer@suse.com
- Add patch for fixing content type is nil
Already merged into upstream and will be included in the next rails version 5.0.0.2
https://github.com/rails/rails/pull/25950
-------------------------------------------------------------------
Fri Aug 12 04:30:28 UTC 2016 - coolo@suse.com
- updated to version 5.0.0.1
see installed CHANGELOG.md
-------------------------------------------------------------------
Mon Jul 4 09:08:07 UTC 2016 - coolo@suse.com
- updated to rails 5.0 - see http://weblog.rubyonrails.org/2016/6/30/Rails-5-0-final/
-------------------------------------------------------------------
Tue Mar 8 05:29:36 UTC 2016 - coolo@suse.com
- updated to version 4.2.6
see installed CHANGELOG.md
## Rails 4.2.6 (March 07, 2016) ##
* No changes.
-------------------------------------------------------------------
Tue Mar 1 05:30:50 UTC 2016 - coolo@suse.com
- updated to version 4.2.5.2
see installed CHANGELOG.md
## Rails 4.2.5.2 (February 26, 2016) ##
* Do not allow render with unpermitted parameter.
Fixes CVE-2016-2098.
*Arthur Neves*
## Rails 4.2.5.1 (January 25, 2015) ##
* No changes.
-------------------------------------------------------------------
Tue Jan 26 05:29:36 UTC 2016 - coolo@suse.com
- updated to version 4.2.5.1
see installed CHANGELOG.md
-------------------------------------------------------------------
Fri Nov 13 05:29:06 UTC 2015 - coolo@suse.com
- updated to version 4.2.5
see installed CHANGELOG.md
## Rails 4.2.5 (November 12, 2015) ##
* `ActionController::TestCase` can teardown gracefully if an error is raised
early in the `setup` chain.
*Yves Senn*
* Parse RSS/ATOM responses as XML, not HTML.
*Alexander Kaupanin*
* Fix regression in mounted engine named routes generation for app deployed to
a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
"/subdir/subdir/engine_path" instead of "/subdir/engine_path")
Fixes #20920. Fixes #21459.
*Matthew Erhard*
* `url_for` does not modify its arguments when generating polymorphic URLs.
*Bernerd Schaefer*
* Update `ActionController::TestSession#fetch` to behave more like
`ActionDispatch::Request::Session#fetch` when using non-string keys.
*Jeremy Friesen*
-------------------------------------------------------------------
Tue Aug 25 04:29:18 UTC 2015 - coolo@suse.com
- updated to version 4.2.4
see installed CHANGELOG.md
## Rails 4.2.4 (August 24, 2015) ##
* ActionController::TestSession now accepts a default value as well as
a block for generating a default value based off the key provided.
This fixes calls to session#fetch in ApplicationController instances that
take more two arguments or a block from raising `ArgumentError: wrong
number of arguments (2 for 1)` when performing controller tests.
*Matthew Gerrior*
* Fix to keep original header instance in `ActionDispatch::SSL`
`ActionDispatch::SSL` changes headers to `Hash`.
So some headers will be broken if there are some middlewares
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
*Fumiaki Matsushima*
-------------------------------------------------------------------
Fri Jun 26 04:29:34 UTC 2015 - coolo@suse.com
- updated to version 4.2.3
see installed CHANGELOG.md
## Rails 4.2.3 (June 25, 2015) ##
* Fix rake routes not showing the right format when
nesting multiple routes.
See #18373.
*Ravil Bayramgalin*
* Fix regression where a gzip file response would have a Content-type,
even when it was a 304 status code.
See #19271.
*Kohei Suzuki*
* Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
Previously, an empty X_FORWARDED_HOST header would cause
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
Actiondispatch::Http:URL.host to raise a NoMethodError.
*Adam Forsyth*
* Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
is set, it takes precedence.
Fixes #5122.
*Yasyf Mohamedali*
* Fix regression in functional tests. Responses should have default headers
assigned.
See #18423.
*Jeremy Kemper*, *Yves Senn*
-------------------------------------------------------------------
Wed Jun 17 04:30:01 UTC 2015 - coolo@suse.com
- updated to version 4.2.2
see installed CHANGELOG.md
## Rails 4.2.2 (June 16, 2015) ##
* No Changes *
-------------------------------------------------------------------
Sun Mar 22 09:07:28 UTC 2015 - coolo@suse.com
- updated to version 4.2.1, see CHANGELOG.md
-------------------------------------------------------------------
Wed Jan 28 12:29:23 UTC 2015 - adrian@suse.de
- update to 4.2.0
-------------------------------------------------------------------
Mon Jan 19 21:09:53 UTC 2015 - dmueller@suse.com
- update to 4.1.9:
* Fixed handling of positional url helper arguments when `format: false`.
* Restore handling of a bare `Authorization` header, without `token=`
prefix.
* Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass
* Fix a bug where malformed query strings lead to 500.
* Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7829)
* Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7818)
-------------------------------------------------------------------
Mon Nov 10 14:00:03 UTC 2014 - tboerger@suse.com
- To get rails 4 running on SLE 11 i have switched the
rb_build_versions definition to rub21 as it is activated within
devel:languages:ruby. That way we can get running rails 4 on
SLE 11 too.
-------------------------------------------------------------------
Sun Oct 12 16:20:05 UTC 2014 - coolo@suse.com
- updated to version 4.1.6
* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
("Rosetta Flash")
* Because URI paths may contain non US-ASCII characters we need to force
the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
This essentially replicates the functionality of the monkey patch to
URI.parser.unescape in active_support/core_ext/uri.rb.
Fixes #16104.
* Generate shallow paths for all children of shallow resources.
Fixes #15783.
* JSONP responses are now rendered with the `text/javascript` content type
when rendering through a `respond_to` block.
Fixes #15081.
* Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
Fixes #15511.
* ActionController::Parameters#require now accepts `false` values.
Fixes #15685.
-------------------------------------------------------------------
Wed Jul 23 13:26:43 UTC 2014 - mrueckert@suse.com
- - initial package
