Hello community,
here is the log from the commit of package rubygem-activesupport-4_2 for
openSUSE:Factory checked in at 2015-06-23 11:56:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-activesupport-4_2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-activesupport-4_2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activesupport-4_2"
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-activesupport-4_2/rubygem-activesupport-4_2.changes
2015-03-25 10:00:47.000000000 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-activesupport-4_2.new/rubygem-activesupport-4_2.changes
2015-06-23 11:56:09.000000000 +0200
@@ -1,0 +2,20 @@
+Wed Jun 17 04:33:49 UTC 2015 - [email protected]
+
+- updated to version 4.2.2
+ see installed CHANGELOG.md
+
+ ## Rails 4.2.2 (June 16, 2015) ##
+
+ * Fix XSS vulnerability in `ActiveSupport::JSON.encode` method.
+
+ CVE-2015-3226.
+
+ *Rafael Mendonça França*
+
+ * Fix denial of service vulnerability in the XML processing.
+
+ CVE-2015-3227.
+
+ *Aaron Patterson*
+
+-------------------------------------------------------------------
Old:
----
activesupport-4.2.1.gem
New:
----
activesupport-4.2.2.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-activesupport-4_2.spec ++++++
--- /var/tmp/diff_new_pack.36tl9J/_old 2015-06-23 11:56:09.000000000 +0200
+++ /var/tmp/diff_new_pack.36tl9J/_new 2015-06-23 11:56:09.000000000 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-activesupport-4_2
-Version: 4.2.1
+Version: 4.2.2
Release: 0
%define mod_name activesupport
%define mod_full_name %{mod_name}-%{version}
++++++ activesupport-4.2.1.gem -> activesupport-4.2.2.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2015-03-19 17:40:25.000000000 +0100
+++ new/CHANGELOG.md 2015-06-16 20:01:34.000000000 +0200
@@ -1,3 +1,18 @@
+## Rails 4.2.2 (June 16, 2015) ##
+
+* Fix XSS vulnerability in `ActiveSupport::JSON.encode` method.
+
+ CVE-2015-3226.
+
+ *Rafael Mendonça França*
+
+* Fix denial of service vulnerability in the XML processing.
+
+ CVE-2015-3227.
+
+ *Aaron Patterson*
+
+
## Rails 4.2.1 (March 19, 2014) ##
* Fixed a problem where String#truncate_words would get stuck with a complex
Files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_support/gem_version.rb
new/lib/active_support/gem_version.rb
--- old/lib/active_support/gem_version.rb 2015-03-19 17:40:26.000000000
+0100
+++ new/lib/active_support/gem_version.rb 2015-06-16 20:01:35.000000000
+0200
@@ -7,7 +7,7 @@
module VERSION
MAJOR = 4
MINOR = 2
- TINY = 1
+ TINY = 2
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_support/json/encoding.rb
new/lib/active_support/json/encoding.rb
--- old/lib/active_support/json/encoding.rb 2015-03-19 17:40:26.000000000
+0100
+++ new/lib/active_support/json/encoding.rb 2015-06-16 20:01:35.000000000
+0200
@@ -58,6 +58,10 @@
super.gsub ESCAPE_REGEX_WITHOUT_HTML_ENTITIES, ESCAPED_CHARS
end
end
+
+ def to_s
+ self
+ end
end
# Mark these as private so we don't leak encoding-specific constructs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_support/xml_mini/jdom.rb
new/lib/active_support/xml_mini/jdom.rb
--- old/lib/active_support/xml_mini/jdom.rb 2015-03-19 17:40:26.000000000
+0100
+++ new/lib/active_support/xml_mini/jdom.rb 2015-06-16 20:01:35.000000000
+0200
@@ -46,7 +46,7 @@
xml_string_reader = StringReader.new(data)
xml_input_source = InputSource.new(xml_string_reader)
doc = @dbf.new_document_builder.parse(xml_input_source)
- merge_element!({CONTENT_KEY => ''}, doc.document_element)
+ merge_element!({CONTENT_KEY => ''}, doc.document_element,
XmlMini.depth)
end
end
@@ -58,9 +58,10 @@
# Hash to merge the converted element into.
# element::
# XML element to merge into hash
- def merge_element!(hash, element)
+ def merge_element!(hash, element, depth)
+ raise 'Document too deep!' if depth == 0
delete_empty(hash)
- merge!(hash, element.tag_name, collapse(element))
+ merge!(hash, element.tag_name, collapse(element, depth))
end
def delete_empty(hash)
@@ -71,14 +72,14 @@
#
# element::
# The document element to be collapsed.
- def collapse(element)
+ def collapse(element, depth)
hash = get_attributes(element)
child_nodes = element.child_nodes
if child_nodes.length > 0
(0...child_nodes.length).each do |i|
child = child_nodes.item(i)
- merge_element!(hash, child) unless child.node_type == Node.TEXT_NODE
+ merge_element!(hash, child, depth - 1) unless child.node_type ==
Node.TEXT_NODE
end
merge_texts!(hash, element) unless empty_content?(element)
hash
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_support/xml_mini/rexml.rb
new/lib/active_support/xml_mini/rexml.rb
--- old/lib/active_support/xml_mini/rexml.rb 2015-03-19 17:40:26.000000000
+0100
+++ new/lib/active_support/xml_mini/rexml.rb 2015-06-16 20:01:35.000000000
+0200
@@ -29,7 +29,7 @@
doc = REXML::Document.new(data)
if doc.root
- merge_element!({}, doc.root)
+ merge_element!({}, doc.root, XmlMini.depth)
else
raise REXML::ParseException,
"The document #{doc.to_s.inspect} does not have a valid root"
@@ -44,19 +44,20 @@
# Hash to merge the converted element into.
# element::
# XML element to merge into hash
- def merge_element!(hash, element)
- merge!(hash, element.name, collapse(element))
+ def merge_element!(hash, element, depth)
+ raise REXML::ParseException, "The document is too deep" if depth == 0
+ merge!(hash, element.name, collapse(element, depth))
end
# Actually converts an XML document element into a data structure.
#
# element::
# The document element to be collapsed.
- def collapse(element)
+ def collapse(element, depth)
hash = get_attributes(element)
if element.has_elements?
- element.each_element {|child| merge_element!(hash, child) }
+ element.each_element {|child| merge_element!(hash, child, depth - 1)
}
merge_texts!(hash, element) unless empty_content?(element)
hash
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_support/xml_mini.rb
new/lib/active_support/xml_mini.rb
--- old/lib/active_support/xml_mini.rb 2015-03-19 17:40:26.000000000 +0100
+++ new/lib/active_support/xml_mini.rb 2015-06-16 20:01:35.000000000 +0200
@@ -78,6 +78,9 @@
)
end
+ attr_accessor :depth
+ self.depth = 100
+
delegate :parse, :to => :backend
def backend
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2015-03-19 17:40:25.000000000 +0100
+++ new/metadata 2015-06-16 20:01:34.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: activesupport
version: !ruby/object:Gem::Version
- version: 4.2.1
+ version: 4.2.2
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2015-03-19 00:00:00.000000000 Z
+date: 2015-06-16 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: i18n
