Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
rubygem-actionpack-4_2.18961
rubygem-actionpack-4_2.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File rubygem-actionpack-4_2.changes of Package rubygem-actionpack-4_2.18961
------------------------------------------------------------------- Wed Mar 31 00:23:52 UTC 2021 - Jacek Tomasiak <jtomasiak@suse.com> - Add CVE-2019-16782.patch (CVE-2019-16782, bsc#1159548) ------------------------------------------------------------------- Mon Mar 18 11:05:41 UTC 2019 - Lukas Krause <lukas.krause@suse.com> - Add CVE-2019-5418_and_CVE-2019-5419.patch (CVE-2019-5418, CVE-2019-5419, bsc#1129272, bsc#1129271) * CVE-2019-5418: There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. * CVE-2019-5419: Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to process requests. This impacts all Rails applications that render views. - Add series file for better patch handling with quilt ------------------------------------------------------------------- Mon Aug 28 16:08:13 UTC 2017 - rsalevsky@suse.com - update to version 4.2.9 (bsc#1055962) * drop CVE-2015-7581.patch, CVE-2016-0752.patch CVE-2016-0751.patch and CVE-2015-7576.patch as they got merged upstream see installed CHANGELOG.md ## Rails 4.2.9 (June 26, 2017) ## * Use more specific check for :format in route path The current check for whether to add an optional format to the path is very lax and will match things like `:format_id` where there are nested resources, e.g: ``` ruby resources :formats do resources :items end ``` Fix this by using a more restrictive regex pattern that looks for the patterns `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to allow for multiple closing parenthesis since the route may be of this form: ``` ruby get "/books(/:action(.:format))", controller: "books" ``` This probably isn't what's intended since it means that the default index action route doesn't support a format but we have a test for it so we need to allow it. Fixes #28517. ## Rails 4.2.8 (February 21, 2017) ## * No changes. ## Rails 4.2.7 (July 12, 2016) ## * No changes. ## Rails 4.2.6 (March 07, 2016) ## * No changes. ## Rails 4.2.5.2 (February 26, 2016) ## * Do not allow render with unpermitted parameter. Fixes CVE-2016-2098. ## Rails 4.2.5.1 (January 25, 2015) ## * No changes. ## Rails 4.2.5 (November 12, 2015) ## * `ActionController::TestCase` can teardown gracefully if an error is raised early in the `setup` chain. *Yves Senn* * Parse RSS/ATOM responses as XML, not HTML. *Alexander Kaupanin* * Fix regression in mounted engine named routes generation for app deployed to a subdirectory. `relative_url_root` was prepended to the path twice (e.g. "/subdir/subdir/engine_path" instead of "/subdir/engine_path") Fixes #20920. Fixes #21459. *Matthew Erhard* * `url_for` does not modify its arguments when generating polymorphic URLs. *Bernerd Schaefer* * Update `ActionController::TestSession#fetch` to behave more like `ActionDispatch::Request::Session#fetch` when using non-string keys. *Jeremy Friesen* ## Rails 4.2.4 (August 24, 2015) ## * ActionController::TestSession now accepts a default value as well as a block for generating a default value based off the key provided. This fixes calls to session#fetch in ApplicationController instances that take more two arguments or a block from raising `ArgumentError: wrong number of arguments (2 for 1)` when performing controller tests. *Matthew Gerrior* * Fix to keep original header instance in `ActionDispatch::SSL` `ActionDispatch::SSL` changes headers to `Hash`. So some headers will be broken if there are some middlewares on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`. *Fumiaki Matsushima* ## Rails 4.2.3 (June 25, 2015) ## * Fix rake routes not showing the right format when nesting multiple routes. See #18373. *Ravil Bayramgalin* * Fix regression where a gzip file response would have a Content-type, even when it was a 304 status code. See #19271. *Kohei Suzuki* * Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port Previously, an empty X_FORWARDED_HOST header would cause Actiondispatch::Http:URL.raw_host_with_port to return nil, causing Actiondispatch::Http:URL.host to raise a NoMethodError. *Adam Forsyth* * Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`. Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack) is set, it takes precedence. Fixes #5122. *Yasyf Mohamedali* * Fix regression in functional tests. Responses should have default headers assigned. See #18423. *Jeremy Kemper*, *Yves Senn* ## Rails 4.2.2 (June 16, 2015) ## * No Changes * ------------------------------------------------------------------- Tue Jan 26 17:50:43 UTC 2016 - jmassaguerpla@suse.com - fix bnc#963331 - CVE-2016-0751: rubygem-actionpack: Object Leak DoS CVE-2016-0751.patch: contains the fix ------------------------------------------------------------------- Tue Jan 26 17:48:39 UTC 2016 - jmassaguerpla@suse.com - fix bnc#963335 - CVE-2015-7581: rubygem-actionpack: unbounded memory growth DoS via wildcard controller routes CVE-2015-7581.patch: contains the fix ------------------------------------------------------------------- Tue Jan 26 16:38:33 UTC 2016 - jmassaguerpla@suse.com - fix bnc#963332 - CVE-2016-0752: rubygem-actionpack, rubygem-actionview: directory traversal and information leak in Action View CVE-2016-0752.patch: contains the security fix ------------------------------------------------------------------- Tue Jan 26 13:01:25 UTC 2016 - jmassaguerpla@suse.com - fix CVE-2015-7576: rubygem-actionpack, rubygem-activesupport: Timing attack vulnerability in basic authentication in Action Controller CVE-2015-7576.patch: contains the fix (bsc#963329) ------------------------------------------------------------------- Fri Jul 3 10:17:41 UTC 2015 - jmassaguerpla@suse.com - update to version 4.2.2, no changes (updated to match activesupport version) (bnc#934799 and bnc#934800). ------------------------------------------------------------------- Sun Mar 22 09:07:28 UTC 2015 - coolo@suse.com - updated to version 4.2.1, see CHANGELOG.md ------------------------------------------------------------------- Wed Jan 28 12:29:23 UTC 2015 - adrian@suse.de - update to 4.2.0 ------------------------------------------------------------------- Mon Jan 19 21:09:53 UTC 2015 - dmueller@suse.com - update to 4.1.9: * Fixed handling of positional url helper arguments when `format: false`. * Restore handling of a bare `Authorization` header, without `token=` prefix. * Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass * Fix a bug where malformed query strings lead to 500. * Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7829) * Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7818) ------------------------------------------------------------------- Mon Nov 10 14:00:03 UTC 2014 - tboerger@suse.com - To get rails 4 running on SLE 11 i have switched the rb_build_versions definition to rub21 as it is activated within devel:languages:ruby. That way we can get running rails 4 on SLE 11 too. ------------------------------------------------------------------- Sun Oct 12 16:20:05 UTC 2014 - coolo@suse.com - updated to version 4.1.6 * Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 ("Rosetta Flash") * Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to URI.parser.unescape in active_support/core_ext/uri.rb. Fixes #16104. * Generate shallow paths for all children of shallow resources. Fixes #15783. * JSONP responses are now rendered with the `text/javascript` content type when rendering through a `respond_to` block. Fixes #15081. * Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'. Fixes #15511. * ActionController::Parameters#require now accepts `false` values. Fixes #15685. ------------------------------------------------------------------- Wed Jul 23 13:26:43 UTC 2014 - mrueckert@suse.com - - initial package
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor