------------------------------------------------------------------- Tue Jan 26 19:31:40 UTC 2016 - jmassaguerpla@suse.com - fix bnc#963331 - CVE-2016-0751: rubygem-actionpack: Object Leak DoS CVE-2016-0751.patch: contains the fix ------------------------------------------------------------------- Tue Jan 26 19:30:07 UTC 2016 - jmassaguerpla@suse.com - fix bnc#963335 - CVE-2015-7581: rubygem-actionpack: unbounded memory growth DoS via wildcard controller routes CVE-2015-7581.patch: contains the fix ------------------------------------------------------------------- Tue Jan 26 18:54:40 UTC 2016 - jmassaguerpla@suse.com - fix bnc#963332 - CVE-2016-0752: rubygem-actionpack, rubygem-actionview: directory traversal and information leak in Action View CVE-2016-0752.patch: contains the fix ------------------------------------------------------------------- Tue Jan 26 18:28:26 UTC 2016 - jmassaguerpla@suse.com - bnc#963329 - CVE-2015-7576: rubygem-actionpack, rubygem-activesupport: Timing attack vulnerability in basic authentication in Action Controller CVE-2015-7576.patch: contains fix ------------------------------------------------------------------- Mon Jan 19 21:09:53 UTC 2015 - dmueller@suse.com - update to 4.1.9: * Fixed handling of positional url helper arguments when `format: false`. * Restore handling of a bare `Authorization` header, without `token=` prefix. * Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass * Fix a bug where malformed query strings lead to 500. * Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7829) * Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7818) ------------------------------------------------------------------- Mon Nov 10 14:00:03 UTC 2014 - tboerger@suse.com - To get rails 4 running on SLE 11 i have switched the rb_build_versions definition to rub21 as it is activated within devel:languages:ruby. That way we can get running rails 4 on SLE 11 too. ------------------------------------------------------------------- Sun Oct 12 16:20:05 UTC 2014 - coolo@suse.com - updated to version 4.1.6 * Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 ("Rosetta Flash") * Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to URI.parser.unescape in active_support/core_ext/uri.rb. Fixes #16104. * Generate shallow paths for all children of shallow resources. Fixes #15783. * JSONP responses are now rendered with the `text/javascript` content type when rendering through a `respond_to` block. Fixes #15081. * Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'. Fixes #15511. * ActionController::Parameters#require now accepts `false` values. Fixes #15685. ------------------------------------------------------------------- Wed Jul 23 13:26:43 UTC 2014 - mrueckert@suse.com - - initial package