File rubygem-actionpack-5_1.changes of Package rubygem-actionpack-5_1

Overview Repositories Revisions Requests Users Attributes Meta

File rubygem-actionpack-5_1.changes of Package rubygem-actionpack-5_1

-------------------------------------------------------------------
Wed Oct 30 14:07:44 UTC 2024 - pgajdos@suse.com

- security update
- added patches
  fix CVE-2024-47887 [bsc#1231729], Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
  + 0010-CVE-2024-47887.patch
  fix CVE-2024-42228 [bsc#1228667], Using uninitialized value *size when calling amdgpu_vce_cs_reloc
  + 0011-CVE-2024-42228.patch

-------------------------------------------------------------------
Wed Jan 10 13:26:14 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>

- modified patches
  + 0009-CVE-2020-8166.patch (fixed)
  - rubygem-actionpack-5_1-CVE-2020-8166.patch (renamed)

-------------------------------------------------------------------
Mon Oct  9 11:34:52 UTC 2023 - pgajdos@suse.com

- security update
  * fix CVE-2020-8166 patch port [bsc#1215707]

-------------------------------------------------------------------
Thu Sep 21 11:17:08 UTC 2023 - pgajdos@suse.com

- security update
- added patches
  fix CVE-2020-8166 [bsc#1172182], Ability to forge per-form CSRF tokens given a global CSRF token
  + rubygem-actionpack-5_1-CVE-2020-8166.patch

-------------------------------------------------------------------
Tue Jul 18 13:01:41 UTC 2023 - pgajdos@suse.com

- security update
- added patches
  fix CVE-2023-28362 [bsc#1213312], Possible XSS via User Supplied Values to redirect_to
  + 0008-CVE-2023-28362.patch

-------------------------------------------------------------------
Fri Jan 27 10:08:37 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>

- Add patch to fix CVE-2023-22795 (bsc#1207451)
  0007-CVE-2023-22795.patch

-------------------------------------------------------------------
Thu Jan 26 17:23:42 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>

- Add patch to fix CVE-2023-22792 (bsc#1207455)
  0006-CVE-2023-22792.patch

-------------------------------------------------------------------
Thu Jun  2 12:57:41 UTC 2022 - Manuel Schnitzer <mschnitzer@suse.com>

- Added patch 0005-CVE-2021-22904.patch to fix CVE-2021-22904
  (bsc#1185780)

-------------------------------------------------------------------
Wed Jun  1 16:39:21 UTC 2022 - Manuel Schnitzer <mschnitzer@suse.com>

- Added patch 0004-CVE-2022-23633.patch to fix CVE-2022-23633
  (bsc#1196182)

-------------------------------------------------------------------
Mon May 10 11:01:41 UTC 2021 - Jacek Tomasiak <jtomasiak@suse.com>

- Added patch 0003-CVE-2021-22885.patch (CVE-2021-22885, bsc#1185715)

-------------------------------------------------------------------
Fri Jul 31 11:10:30 UTC 2020 - Manuel Schnitzer <mschnitzer@suse.com>

- CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack.
  There is a strong parameters bypass vector in ActionPack.
  (bsc#1172177)
- Added patch 0002-CVE-2020-8164.patch
- Renamed patch CVE-2019-5418_and_CVE-2019-5419.patch to
  0001-CVE-2019-5418_and_CVE-2019-5419.patch

-------------------------------------------------------------------
Mon Mar 18 12:46:31 UTC 2019 - Lukas Krause <lukas.krause@suse.com>

- Add CVE-2019-5418_and_CVE-2019-5419.patch (CVE-2019-5418,
  CVE-2019-5419, bsc#1129272, bsc#1129271)

* CVE-2019-5418:
    There is a possible file content disclosure vulnerability in
    Action View. Specially crafted accept headers in combination
    with calls to `render file:` can cause arbitrary files on the
    target server to be rendered, disclosing the file contents.

* CVE-2019-5419:
    Specially crafted accept headers can cause the Action View
    template location code to consume 100% CPU, causing the server
    unable to process requests. This impacts all Rails applications
    that render views.

- Add series file for better patch handling with quilt

-------------------------------------------------------------------
Fri Sep  8 13:37:12 UTC 2017 - enavarro@suse.com

- Update to version 5.1.4
 see installed CHANGELOG.md

-------------------------------------------------------------------
Wed Aug  9 07:52:57 UTC 2017 - cbruckmayer@suse.com

- Update to version 5.1.3

-------------------------------------------------------------------
Sat Jun 24 06:15:03 UTC 2017 - adrian@suse.de

- update to version 5.1.1

-------------------------------------------------------------------
Mon Dec  5 15:35:14 UTC 2016 - cbruckmayer@suse.com

- Add patch for fixing content type is nil

Already merged into upstream and will be included in the next rails version 5.0.0.2
  https://github.com/rails/rails/pull/25950

-------------------------------------------------------------------
Fri Aug 12 04:30:28 UTC 2016 - coolo@suse.com

- updated to version 5.0.0.1
 see installed CHANGELOG.md

-------------------------------------------------------------------
Mon Jul  4 09:08:07 UTC 2016 - coolo@suse.com

- updated to rails 5.0 - see http://weblog.rubyonrails.org/2016/6/30/Rails-5-0-final/

-------------------------------------------------------------------
Tue Mar  8 05:29:36 UTC 2016 - coolo@suse.com

- updated to version 4.2.6
 see installed CHANGELOG.md

## Rails 4.2.6 (March 07, 2016) ##

*   No changes.

-------------------------------------------------------------------
Tue Mar  1 05:30:50 UTC 2016 - coolo@suse.com

- updated to version 4.2.5.2
 see installed CHANGELOG.md

## Rails 4.2.5.2 (February 26, 2016) ##

*   Do not allow render with unpermitted parameter.

Fixes CVE-2016-2098.

*Arthur Neves*

## Rails 4.2.5.1 (January 25, 2015) ##

*   No changes.

-------------------------------------------------------------------
Tue Jan 26 05:29:36 UTC 2016 - coolo@suse.com

- updated to version 4.2.5.1
 see installed CHANGELOG.md

-------------------------------------------------------------------
Fri Nov 13 05:29:06 UTC 2015 - coolo@suse.com

- updated to version 4.2.5
 see installed CHANGELOG.md

## Rails 4.2.5 (November 12, 2015) ##

*   `ActionController::TestCase` can teardown gracefully if an error is raised
      early in the `setup` chain.

*Yves Senn*

*   Parse RSS/ATOM responses as XML, not HTML.

*Alexander Kaupanin*

*   Fix regression in mounted engine named routes generation for app deployed to
      a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
      "/subdir/subdir/engine_path" instead of "/subdir/engine_path")

Fixes #20920. Fixes #21459.

*Matthew Erhard*

*   `url_for` does not modify its arguments when generating polymorphic URLs.

*Bernerd Schaefer*

*   Update `ActionController::TestSession#fetch` to behave more like
      `ActionDispatch::Request::Session#fetch` when using non-string keys.

*Jeremy Friesen*

-------------------------------------------------------------------
Tue Aug 25 04:29:18 UTC 2015 - coolo@suse.com

- updated to version 4.2.4
 see installed CHANGELOG.md

## Rails 4.2.4 (August 24, 2015) ##

*   ActionController::TestSession now accepts a default value as well as
      a block for generating a default value based off the key provided.

This fixes calls to session#fetch in ApplicationController instances that
      take more two arguments or a block from raising `ArgumentError: wrong
      number of arguments (2 for 1)` when performing controller tests.

*Matthew Gerrior*

*   Fix to keep original header instance in `ActionDispatch::SSL`

`ActionDispatch::SSL` changes headers to `Hash`.
      So some headers will be broken if there are some middlewares
      on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.

*Fumiaki Matsushima*

-------------------------------------------------------------------
Fri Jun 26 04:29:34 UTC 2015 - coolo@suse.com

- updated to version 4.2.3
 see installed CHANGELOG.md

## Rails 4.2.3 (June 25, 2015) ##

*   Fix rake routes not showing the right format when
      nesting multiple routes.

See #18373.

*Ravil Bayramgalin*

*   Fix regression where a gzip file response would have a Content-type,
      even when it was a 304 status code.

See #19271.

*Kohei Suzuki*

*   Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port

Previously, an empty X_FORWARDED_HOST header would cause
      Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
      Actiondispatch::Http:URL.host to raise a NoMethodError.

*Adam Forsyth*

*   Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.

Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
      prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
      is set, it takes precedence.

Fixes #5122.

*Yasyf Mohamedali*

*   Fix regression in functional tests. Responses should have default headers
      assigned.

See #18423.

*Jeremy Kemper*, *Yves Senn*

-------------------------------------------------------------------
Wed Jun 17 04:30:01 UTC 2015 - coolo@suse.com

- updated to version 4.2.2
 see installed CHANGELOG.md

## Rails 4.2.2 (June 16, 2015) ##

* No Changes *

-------------------------------------------------------------------
Sun Mar 22 09:07:28 UTC 2015 - coolo@suse.com

- updated to version 4.2.1, see CHANGELOG.md

-------------------------------------------------------------------
Wed Jan 28 12:29:23 UTC 2015 - adrian@suse.de

- update to 4.2.0

-------------------------------------------------------------------
Mon Jan 19 21:09:53 UTC 2015 - dmueller@suse.com

-  update to 4.1.9:
   * Fixed handling of positional url helper arguments when `format: false`.
   * Restore handling of a bare `Authorization` header, without `token=`
     prefix.
   * Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass
   * Fix a bug where malformed query strings lead to 500.
   * Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7829)
   * Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7818)

-------------------------------------------------------------------
Mon Nov 10 14:00:03 UTC 2014 - tboerger@suse.com

- To get rails 4 running on SLE 11 i have switched the
  rb_build_versions definition to rub21 as it is activated within
  devel:languages:ruby. That way we can get running rails 4 on
  SLE 11 too.

-------------------------------------------------------------------
Sun Oct 12 16:20:05 UTC 2014 - coolo@suse.com

- updated to version 4.1.6
 *   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
     ("Rosetta Flash")
 *   Because URI paths may contain non US-ASCII characters we need to force
     the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
     This essentially replicates the functionality of the monkey patch to
     URI.parser.unescape in active_support/core_ext/uri.rb.
     Fixes #16104.
 *   Generate shallow paths for all children of shallow resources.
     Fixes #15783.
 *   JSONP responses are now rendered with the `text/javascript` content type
     when rendering through a `respond_to` block.
     Fixes #15081.
 *   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
     Fixes #15511.
 *   ActionController::Parameters#require now accepts `false` values.
     Fixes #15685.

-------------------------------------------------------------------
Wed Jul 23 13:26:43 UTC 2014 - mrueckert@suse.com

- - initial package

Places

File rubygem-actionpack-5_1.changes of Package rubygem-actionpack-5_1

Places