File rubygem-actionpack-6.1.changes of Package rubygem-actionpack-6.1

Overview Repositories Revisions Requests Users Attributes Meta

File rubygem-actionpack-6.1.changes of Package rubygem-actionpack-6.1

-------------------------------------------------------------------
Mon Nov  4 15:56:28 UTC 2024 - Dan Čermák <dan.cermak@posteo.net>

- ## Rails 6.1.7.10 (October 23, 2024) ##

*   No changes.

## Rails 6.1.7.9 (October 15, 2024) ##

*   Avoid regex backtracking in HTTP Token authentication

[CVE-2024-47887]

*   Avoid regex backtracking in query parameter filtering

[CVE-2024-41128]

-------------------------------------------------------------------
Fri Jun 21 09:12:04 UTC 2024 - Dan Čermák <dan.cermak@posteo.net>

- ## Rails 6.1.7.8 (June 04, 2024) ##

*   Include the HTTP Permissions-Policy on non-HTML Content-Types
    [CVE-2024-28103]

## Rails 6.1.7.7 (February 21, 2024) ##

*   No changes.

-------------------------------------------------------------------
Thu Nov  2 15:31:41 UTC 2023 - Dan Čermák <dan.cermak@posteo.net>

- ## Rails 6.1.7.6 (August 22, 2023) ##

*   No changes.

## Rails 6.1.7.5 (August 22, 2023) ##

*   No changes.

## Rails 6.1.7.4 (June 26, 2023) ##

*   Raise an exception if illegal characters are provide to redirect_to
    [CVE-2023-28362]

*Zack Deveau*

## Rails 6.1.7.3 (March 13, 2023) ##

*   No changes.

## Rails 6.1.7.2 (January 24, 2023) ##

*   Fix `domain: :all` for two letter TLD

This fixes a compatibility issue introduced in our previous security
    release when using `domain: :all` with a two letter but single level top
    level domain domain (like `.ca`, rather than `.co.uk`).

## Rails 6.1.7.1 (January 17, 2023) ##

*   Avoid regex backtracking on If-None-Match header

[CVE-2023-22795]

*   Use string#split instead of regex for domain parts

[CVE-2023-22792]

-------------------------------------------------------------------
Mon Oct 10 12:51:45 UTC 2022 - Stephan Kulow <coolo@suse.com>

updated to version 6.1.7
 see installed CHANGELOG.md

## Rails 6.1.7 (September 09, 2022) ##
  
  *   No changes.

-------------------------------------------------------------------
Thu Aug  4 12:49:55 UTC 2022 - Stephan Kulow <coolo@suse.com>

updated to version 6.1.6.1
 see installed CHANGELOG.md

## Rails 6.1.6.1 (July 12, 2022) ##
  
  *   No changes.

-------------------------------------------------------------------
Thu Apr 28 05:08:46 UTC 2022 - Stephan Kulow <coolo@suse.com>

updated to version 6.1.5.1
 see installed CHANGELOG.md

## Rails 6.1.5.1 (April 26, 2022) ##
  
  *   Allow Content Security Policy DSL to generate for API responses.
  
      *Tim Wade*
  
  ## Rails 6.1.5 (March 09, 2022) ##
  
  *   Fix `content_security_policy` returning invalid directives.
  
      Directives such as `self`, `unsafe-eval` and few others were not
      single quoted when the directive was the result of calling a lambda
      returning an array.
  
      ```ruby
      content_security_policy do |policy|
        policy.frame_ancestors lambda { [:self, "https://example.com"] }
      end
      ```
  
      With this fix the policy generated from above will now be valid.
  
      *Edouard Chin*
  
  *   Update `HostAuthorization` middleware to render debug info only
      when `config.consider_all_requests_local` is set to true.
  
      Also, blocked host info is always logged with level `error`.
  
      Fixes #42813.
  
      *Nikita Vyrko*
  
  *   Dup arrays that get "converted".
  
      Fixes #43681.
  
      *Aaron Patterson*
  
  *   Don't show deprecation warning for equal paths.
  
      *Anton Rieder*
  
  *   Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
  
      Fixes #43094.
  
      *Alex Ghiculescu*
  
  *   Add fallback host for SystemTestCase driven by RackTest.
  
      Fixes #42780.
  
      *Petrik de Heus*
  
  *   Add more detail about what hosts are allowed.
  
      *Alex Ghiculescu*
  
  
  ## Rails 6.1.4.7 (March 08, 2022) ##
  
  *   No changes.

-------------------------------------------------------------------
Tue Feb 15 07:07:00 UTC 2022 - Stephan Kulow <coolo@suse.com>

updated to version 6.1.4.6
 see installed CHANGELOG.md

## Rails 6.1.4.6 (February 11, 2022) ##
  
  *   No changes.
  
  
  ## Rails 6.1.4.5 (February 11, 2022) ##
  
  *   Under certain circumstances, the middleware isn't informed that the
      response body has been fully closed which result in request state not
      being fully reset before the next request
  
      [CVE-2022-23633]

-------------------------------------------------------------------
Tue Jan 25 06:19:37 UTC 2022 - Stephan Kulow <coolo@suse.com>

updated to version 6.1.4.4
 see installed CHANGELOG.md

## Rails 6.1.4.4 (December 15, 2021) ##
  
  *   Fix issue with host protection not allowing host with port in development.
  
  
  ## Rails 6.1.4.3 (December 14, 2021) ##
  
  *    Fix issue with host protection not allowing localhost in development.
  
  
  ## Rails 6.1.4.2 (December 14, 2021) ##
  
  *   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]

-------------------------------------------------------------------
Wed Aug 25 04:58:50 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 6.1.4.1

*   [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.

Specially crafted "X-Forwarded-Host" headers in combination with certain
      "allowed host" formats can cause the Host Authorization middleware in Action
      Pack to redirect users to a malicious website.

-------------------------------------------------------------------
Fri Jul  9 12:23:16 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 6.1.4

*   Ignore file fixtures on `db:fixtures:load`

*Kevin Sjöberg*

*   Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.

*Dylan Thacker-Smith*

*   Correctly place optional path parameter booleans.

Previously, if you specify a url parameter that is part of the path as false it would include that part
      of the path as parameter for example:

```
      get "(/optional/:optional_id)/things" => "foo#foo", as: :things
      things_path(optional_id: false) # => /things?optional_id=false
      ```

After this change, true and false will be treated the same when used as optional path parameters. Meaning now:

```
      get '(this/:my_bool)/that' as: :that

that_path(my_bool: true) # => `/this/true/that`
      that_path(my_bool: false) # => `/this/false/that`
      ```

*Adam Hess*

*   Add support for 'private, no-store' Cache-Control headers.

Previously, 'no-store' was exclusive; no other directives could be specified.

*Alex Smith*

-------------------------------------------------------------------
Fri May 14 15:53:21 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 6.1.3.2

*   Prevent open redirects by correctly escaping the host allow list
      CVE-2021-22903

*   Prevent catastrophic backtracking during mime parsing
      CVE-2021-22902

*   Prevent regex DoS in HTTP token authentication
      CVE-2021-22904

*   Prevent string polymorphic route arguments.

`url_for` supports building polymorphic URLs via an array
      of arguments (usually symbols and records). If a developer passes a
      user input array, strings can result in unwanted route helper calls.

CVE-2021-22885

*Gannon McGibbon*

-------------------------------------------------------------------
Tue Apr 20 12:55:56 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 6.1.3.1

* no changes

-------------------------------------------------------------------
Mon Mar 15 04:08:43 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 6.1.3

* Re-define routes when not set correctly via inheritance.

John Hawthorn

-------------------------------------------------------------------
Mon Feb 15 10:10:40 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 6.1.2.1

## Rails 6.1.2.1 (February 10, 2021) ##

*   Prevent open redirect when allowed host starts with a dot

[CVE-2021-22881]

Thanks to @tktech (https://hackerone.com/tktech) for reporting this
      issue and the patch!

*Aaron Patterson*

## Rails 6.1.2 (February 09, 2021) ##

*   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.

*Janko Marohnić*

*   Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.

*Eugene Kenny*

-------------------------------------------------------------------
Wed Jan 20 07:06:20 UTC 2021 - Manuel Schnitzer <mschnitzer@suse.com>

- updated to version 6.1.1

* Fix nil translation key lookup in controllers/

Jan Klimo

* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.

Alex Robbin

* Change the request method to a GET when passing failed requests down to config.exceptions_app.

Alex Robbin

-------------------------------------------------------------------
Fri Dec 11 02:41:16 UTC 2020 - Manuel Schnitzer <mschnitzer@suse.com>

- removed build flags for Ruby 2.6 and 2.7 only

We need to have Ruby 2.5 binaries as well.

- removed disable_docs gem2rpm option (not available)

-------------------------------------------------------------------
Wed Dec  9 23:53:04 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>

- update to version 6.1.0:
  https://weblog.rubyonrails.org/2020/12/9/Rails-6-1-0-release/

-------------------------------------------------------------------
Mon Nov  2 23:20:02 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>

- initial package

Places

File rubygem-actionpack-6.1.changes of Package rubygem-actionpack-6.1

Places