File rubygem-actionpack-4_2.changes of Package rubygem-actionpack-4_2.27663

Overview Repositories Revisions Requests Users Attributes Meta

File rubygem-actionpack-4_2.changes of Package rubygem-actionpack-4_2.27663

-------------------------------------------------------------------
Fri Jan 27 09:48:28 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>

- Add patch to fix CVE-2023-22795 (bsc#1207451)
  CVE-2023-22795.patch

-------------------------------------------------------------------
Thu Jan 26 16:46:56 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>

- Add patch to fix CVE-2023-22792 (bsc#1207455)
  CVE-2023-22792.patch

-------------------------------------------------------------------
Mon May 10 11:13:32 UTC 2021 - Jacek Tomasiak <jtomasiak@suse.com>

- Added patch CVE-2021-22885.patch (CVE-2021-22885, bsc#1185715)

-------------------------------------------------------------------
Wed Mar 31 00:23:52 UTC 2021 - Jacek Tomasiak <jtomasiak@suse.com>

- Add CVE-2019-16782.patch (CVE-2019-16782, bsc#1159548)

-------------------------------------------------------------------
Mon Mar 18 11:05:41 UTC 2019 - Lukas Krause <lukas.krause@suse.com>

- Add CVE-2019-5418_and_CVE-2019-5419.patch (CVE-2019-5418,
  CVE-2019-5419, bsc#1129272, bsc#1129271)

* CVE-2019-5418:
    There is a possible file content disclosure vulnerability in
    Action View. Specially crafted accept headers in combination
    with calls to `render file:` can cause arbitrary files on the
    target server to be rendered, disclosing the file contents.

* CVE-2019-5419:
    Specially crafted accept headers can cause the Action View
    template location code to consume 100% CPU, causing the server
    unable to process requests. This impacts all Rails applications
    that render views.

- Add series file for better patch handling with quilt

-------------------------------------------------------------------
Mon Aug 28 16:08:13 UTC 2017 - rsalevsky@suse.com

- update to version 4.2.9 (bsc#1055962)
 * drop CVE-2015-7581.patch, CVE-2016-0752.patch
   CVE-2016-0751.patch and CVE-2015-7576.patch as they got merged
   upstream

see installed CHANGELOG.md
  ## Rails 4.2.9 (June 26, 2017) ##
  *   Use more specific check for :format in route path

The current check for whether to add an optional format to the path is very lax
      and will match things like `:format_id` where there are nested resources, e.g:

``` ruby
      resources :formats do
        resources :items
      end
      ```

Fix this by using a more restrictive regex pattern that looks for the patterns
      `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
      allow for multiple closing parenthesis since the route may be of this form:

``` ruby
      get "/books(/:action(.:format))", controller: "books"
      ```

This probably isn't what's intended since it means that the default index action
      route doesn't support a format but we have a test for it so we need to allow it.

Fixes #28517.

## Rails 4.2.8 (February 21, 2017) ##
  *   No changes.

## Rails 4.2.7 (July 12, 2016) ##
  *   No changes.

## Rails 4.2.6 (March 07, 2016) ##
  *   No changes.

## Rails 4.2.5.2 (February 26, 2016) ##
  *   Do not allow render with unpermitted parameter.
      Fixes CVE-2016-2098.

## Rails 4.2.5.1 (January 25, 2015) ##
  *   No changes.

## Rails 4.2.5 (November 12, 2015) ##
  *   `ActionController::TestCase` can teardown gracefully if an error is raised
      early in the `setup` chain.

*Yves Senn*

*   Parse RSS/ATOM responses as XML, not HTML.

*Alexander Kaupanin*

*   Fix regression in mounted engine named routes generation for app deployed to
      a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
      "/subdir/subdir/engine_path" instead of "/subdir/engine_path")

Fixes #20920. Fixes #21459.

*Matthew Erhard*

*   `url_for` does not modify its arguments when generating polymorphic URLs.

*Bernerd Schaefer*

*   Update `ActionController::TestSession#fetch` to behave more like
      `ActionDispatch::Request::Session#fetch` when using non-string keys.

*Jeremy Friesen*

## Rails 4.2.4 (August 24, 2015) ##
  *   ActionController::TestSession now accepts a default value as well as
      a block for generating a default value based off the key provided.

This fixes calls to session#fetch in ApplicationController instances that
      take more two arguments or a block from raising `ArgumentError: wrong
      number of arguments (2 for 1)` when performing controller tests.

*Matthew Gerrior*

*   Fix to keep original header instance in `ActionDispatch::SSL`

`ActionDispatch::SSL` changes headers to `Hash`.
      So some headers will be broken if there are some middlewares
      on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.

*Fumiaki Matsushima*

## Rails 4.2.3 (June 25, 2015) ##

*   Fix rake routes not showing the right format when
      nesting multiple routes.

See #18373.

*Ravil Bayramgalin*

*   Fix regression where a gzip file response would have a Content-type,
      even when it was a 304 status code.

See #19271.

*Kohei Suzuki*

*   Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port

Previously, an empty X_FORWARDED_HOST header would cause
      Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
      Actiondispatch::Http:URL.host to raise a NoMethodError.

*Adam Forsyth*

*   Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.

Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
      prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
      is set, it takes precedence.

Fixes #5122.

*Yasyf Mohamedali*

*   Fix regression in functional tests. Responses should have default headers
      assigned.

See #18423.

*Jeremy Kemper*, *Yves Senn*

## Rails 4.2.2 (June 16, 2015) ##
  * No Changes *

-------------------------------------------------------------------
Tue Jan 26 17:50:43 UTC 2016 - jmassaguerpla@suse.com

- fix bnc#963331 - CVE-2016-0751: rubygem-actionpack: Object Leak DoS
  CVE-2016-0751.patch: contains the fix

-------------------------------------------------------------------
Tue Jan 26 17:48:39 UTC 2016 - jmassaguerpla@suse.com

- fix bnc#963335 - CVE-2015-7581: rubygem-actionpack: unbounded
  memory growth DoS via wildcard controller routes
  CVE-2015-7581.patch: contains the fix

-------------------------------------------------------------------
Tue Jan 26 16:38:33 UTC 2016 - jmassaguerpla@suse.com

- fix bnc#963332 - CVE-2016-0752: rubygem-actionpack,
  rubygem-actionview: directory traversal and information leak in
  Action View
  CVE-2016-0752.patch: contains the security fix

-------------------------------------------------------------------
Tue Jan 26 13:01:25 UTC 2016 - jmassaguerpla@suse.com

- fix CVE-2015-7576: rubygem-actionpack, rubygem-activesupport:
  Timing attack vulnerability in basic authentication in Action Controller
  CVE-2015-7576.patch: contains the fix (bsc#963329)

-------------------------------------------------------------------
Fri Jul  3 10:17:41 UTC 2015 - jmassaguerpla@suse.com

- update to version 4.2.2, no changes
  (updated to match activesupport version)
  (bnc#934799 and bnc#934800).

-------------------------------------------------------------------
Sun Mar 22 09:07:28 UTC 2015 - coolo@suse.com

- updated to version 4.2.1, see CHANGELOG.md

-------------------------------------------------------------------
Wed Jan 28 12:29:23 UTC 2015 - adrian@suse.de

- update to 4.2.0

-------------------------------------------------------------------
Mon Jan 19 21:09:53 UTC 2015 - dmueller@suse.com

-  update to 4.1.9:
   * Fixed handling of positional url helper arguments when `format: false`.
   * Restore handling of a bare `Authorization` header, without `token=`
     prefix.
   * Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass
   * Fix a bug where malformed query strings lead to 500.
   * Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7829)
   * Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7818)

-------------------------------------------------------------------
Mon Nov 10 14:00:03 UTC 2014 - tboerger@suse.com

- To get rails 4 running on SLE 11 i have switched the
  rb_build_versions definition to rub21 as it is activated within
  devel:languages:ruby. That way we can get running rails 4 on
  SLE 11 too.

-------------------------------------------------------------------
Sun Oct 12 16:20:05 UTC 2014 - coolo@suse.com

- updated to version 4.1.6
 *   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
     ("Rosetta Flash")
 *   Because URI paths may contain non US-ASCII characters we need to force
     the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
     This essentially replicates the functionality of the monkey patch to
     URI.parser.unescape in active_support/core_ext/uri.rb.
     Fixes #16104.
 *   Generate shallow paths for all children of shallow resources.
     Fixes #15783.
 *   JSONP responses are now rendered with the `text/javascript` content type
     when rendering through a `respond_to` block.
     Fixes #15081.
 *   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
     Fixes #15511.
 *   ActionController::Parameters#require now accepts `false` values.
     Fixes #15685.

-------------------------------------------------------------------
Wed Jul 23 13:26:43 UTC 2014 - mrueckert@suse.com

- - initial package

Places

File rubygem-actionpack-4_2.changes of Package rubygem-actionpack-4_2.27663

Places