-------------------------------------------------------------------
Wed Jul  8 14:32:56 UTC 2015 - jmassaguerpla@suse.com

- fix CVE-2015-3225: rubygem-rack: Potential Denial of Service
  Vulnerability in Rack (bnc#934797)

  CVE-2015-3225.patch contains the fix

-------------------------------------------------------------------
Wed Feb 13 16:44:34 UTC 2013 - mrueckert@suse.de

- update to 1.4.5 (bnc#802794 bnc#802795)
  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
  * Fix CVE-2013-0262, symlink path traversal in Rack::File

-------------------------------------------------------------------
Tue Jan 15 11:51:53 UTC 2013 - mrueckert@suse.de

- update to 1.4.4 (bnc#798452)
  * [SEC] Rack::Auth::AbstractRequest no longer symbolizes
    arbitrary strings (CVE-2013-0184)
- changes from 1.4.3
  * Security: Prevent unbounded reads in large multipart boundaries
  (CVE-2013-0183)
- changes from 1.4.2 (CVE-2012-6109)
  * Add warnings when users do not provide a session secret
  * Fix parsing performance for unquoted filenames
  * Updated URI backports
  * Fix URI backport version matching, and silence constant warnings
  * Correct parameter parsing with empty values
  * Correct rackup '-I' flag, to allow multiple uses
  * Correct rackup pidfile handling
  * Report rackup line numbers correctly
  * Fix request loops caused by non-stale nonces with time limits
  * Fix reloader on Windows
  * Prevent infinite recursions from Response#to_ary
  * Various middleware better conforms to the body close specification
  * Updated language for the body close specification
  * Additional notes regarding ECMA escape compatibility issues
  * Fix the parsing of multiple ranges in range headers
  * Prevent errors from empty parameter keys
  * Added PATCH verb to Rack::Request
  * Various documentation updates
  * Fix session merge semantics (fixes rack-test)
  * Rack::Static :index can now handle multiple directories
  * All tests now utilize Rack::Lint (special thanks to Lars Gierth)
  * Rack::File cache_control parameter is now deprecated, and removed by 1.5
  * Correct Rack::Directory script name escaping
  * Rack::Static supports header rules for sophisticated configurations
  * Multipart parsing now works without a Content-Length header
  * New logos courtesy of Zachary Scott!
  * Rack::BodyProxy now explicitly defines #each, useful for C extensions
  * Cookies that are not URI escaped no longer cause exceptions

-------------------------------------------------------------------
Mon Apr  2 12:41:39 UTC 2012 - saschpe@suse.de

- Spec file cleanup:
  * Prepare for Factory submission

-------------------------------------------------------------------
Fri Mar 30 13:10:03 UTC 2012 - adrian@suse.de

- handle /usr/bin/rackup via update-alternatives

-------------------------------------------------------------------
Thu Jan 26 16:06:57 UTC 2012 - mrueckert@suse.de

- initial package of the 1.4 branch