diff -Nru rails-6.0.3.5+dfsg/actionpack/lib/action_controller/metal/http_authentication.rb rails-6.0.3.7+dfsg/actionpack/lib/action_controller/metal/http_authentication.rb
--- rails-6.0.3.5+dfsg/actionpack/lib/action_controller/metal/http_authentication.rb	2021-02-11 02:00:10.000000000 +0530
+++ rails-6.0.3.7+dfsg/actionpack/lib/action_controller/metal/http_authentication.rb	2021-05-05 21:31:04.000000000 +0530
@@ -405,7 +405,7 @@
     module Token
       TOKEN_KEY = "token="
       TOKEN_REGEX = /^(Token|Bearer)\s+/
-      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
+      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
       extend self
 
       module ControllerMethods
diff -Nru rails-6.0.3.5+dfsg/actionpack/lib/action_dispatch/http/mime_type.rb rails-6.0.3.7+dfsg/actionpack/lib/action_dispatch/http/mime_type.rb
--- rails-6.0.3.5+dfsg/actionpack/lib/action_dispatch/http/mime_type.rb	2021-02-11 02:00:10.000000000 +0530
+++ rails-6.0.3.7+dfsg/actionpack/lib/action_dispatch/http/mime_type.rb	2021-05-05 21:31:04.000000000 +0530
@@ -226,7 +226,7 @@
     MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
     MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
     MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
-    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
 
     class InvalidMimeType < StandardError; end
 
diff -Nru rails-6.0.3.5+dfsg/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb rails-6.0.3.7+dfsg/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb
--- rails-6.0.3.5+dfsg/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb	2021-02-11 02:00:10.000000000 +0530
+++ rails-6.0.3.7+dfsg/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb	2021-05-05 21:31:04.000000000 +0530
@@ -286,10 +286,12 @@
 
             args = []
 
-            route = record_list.map { |parent|
+            route = record_list.map do |parent|
               case parent
-              when Symbol, String
+              when Symbol
                 parent.to_s
+              when String
+                raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
               when Class
                 args << parent
                 parent.model_name.singular_route_key
@@ -297,12 +299,14 @@
                 args << parent.to_model
                 parent.to_model.model_name.singular_route_key
               end
-            }
+            end
 
             route <<
             case record
-            when Symbol, String
+            when Symbol
               record.to_s
+            when String
+              raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
             when Class
               @key_strategy.call record.model_name
             else
diff -Nru rails-6.0.3.5+dfsg/activestorage/activestorage.gemspec rails-6.0.3.7+dfsg/activestorage/activestorage.gemspec
--- rails-6.0.3.5+dfsg/activestorage/activestorage.gemspec	2021-02-11 02:00:10.000000000 +0530
+++ rails-6.0.3.7+dfsg/activestorage/activestorage.gemspec	2021-05-05 21:31:04.000000000 +0530
@@ -35,5 +35,5 @@
   s.add_dependency "activejob",    version
   s.add_dependency "activerecord", version
 
-  s.add_dependency "marcel", "~> 0.3.1"
+  s.add_dependency "marcel", "~> 1.0.0"
 end
diff -Nru rails-6.0.3.5+dfsg/debian/changelog rails-6.0.3.7+dfsg/debian/changelog
--- rails-6.0.3.5+dfsg/debian/changelog	2021-02-14 18:48:21.000000000 +0530
+++ rails-6.0.3.7+dfsg/debian/changelog	2021-05-15 16:05:45.000000000 +0530
@@ -1,3 +1,37 @@
+rails (2:6.0.3.7+dfsg-1) unstable; urgency=high
+
+  * Upload to unstable directly.
+  * New upstream version 6.0.3.7+dfsg. (Closes: #988214)
+    - Prevent slow regex when parsing host authorization header.
+      (Fixed: CVE-2021-22904)
+    - Prevent catastrophic backtracking during mime parsing.
+      (Fixes: CVE-2021-22902)
+    - Prevent string polymorphic route arguments.
+      (Fixes: CVE-2021-22885)
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Sat, 15 May 2021 16:05:45 +0530
+
+rails (2:6.0.3.6+dfsg-2) experimental; urgency=medium
+
+  * Install @rails/actioncable node module and Provide node-rails-actioncable
+
+ -- Pirate Praveen <praveen@debian.org>  Sun, 02 May 2021 23:47:43 +0530
+
+rails (2:6.0.3.6+dfsg-1) experimental; urgency=medium
+
+  * Team Upload
+  * New upstream version 6.0.3.6+dfsg (upgrade Active Storage’s Marcel
+    dependency to version 1.0.0.)
+    Before 1.0.0, Marcel—which is distributed under the terms of the MIT
+    License, like Rails—indirectly depended on MIME type data released under
+    the GNU General Public License making the effective license of rails
+    applications GPL. Marcel 1.0.0 instead directly packages MIME type data
+    adapted from Apache Tika, released under the permissive and compatible
+    Apache License 2.0.
+  * Update minimum version of ruby-marcel to 1.0~
+
+ -- Pirate Praveen <praveen@debian.org>  Thu, 29 Apr 2021 15:52:41 +0530
+
 rails (2:6.0.3.5+dfsg-1) unstable; urgency=high
 
   * New upstream version 6.0.3.5+dfsg.
diff -Nru rails-6.0.3.5+dfsg/debian/control rails-6.0.3.7+dfsg/debian/control
--- rails-6.0.3.5+dfsg/debian/control	2021-02-14 18:48:21.000000000 +0530
+++ rails-6.0.3.7+dfsg/debian/control	2021-05-15 15:21:36.000000000 +0530
@@ -70,8 +70,7 @@
                ruby-i18n (>= 0.7) <!nocheck>,
                ruby-mail (<< 3.0) <!nocheck>,
                ruby-mail (>= 2.7.1) <!nocheck>,
-               ruby-marcel (<< 0.4) <!nocheck>,
-               ruby-marcel <!nocheck>,
+               ruby-marcel (>= 1.0~) <!nocheck>,
                ruby-method-source <!nocheck>,
                ruby-minitest (<< 6.0) <!nocheck>,
                ruby-minitest <!nocheck>,
@@ -260,6 +259,7 @@
          ruby-nio4r (>= 2.0),
          ruby-websocket-driver,
          ${misc:Depends}
+Provides: node-rails-actioncable (=${source:Version})
 Description: WebSocket framework for Rails (part of Rails)
  Action Cable seamlessly integrates WebSockets with the rest of your Rails
  application. It allows for real-time features to be written in Ruby in the same
@@ -277,8 +277,7 @@
          ruby-actionpack (= ${source:Version}),
          ruby-activejob (= ${source:Version}),
          ruby-activerecord (= ${source:Version}),
-         ruby-marcel (<< 0.4),
-         ruby-marcel,
+         ruby-marcel (>= 1.0~),
          ${misc:Depends}
 Description: local and cloud file storage framework (part of Rails)
  Active Storage makes it simple to upload and reference files in cloud services
diff -Nru rails-6.0.3.5+dfsg/debian/ruby-actioncable.install rails-6.0.3.7+dfsg/debian/ruby-actioncable.install
--- rails-6.0.3.5+dfsg/debian/ruby-actioncable.install	1970-01-01 05:30:00.000000000 +0530
+++ rails-6.0.3.7+dfsg/debian/ruby-actioncable.install	2021-05-15 15:19:55.000000000 +0530
@@ -0,0 +1,3 @@
+actioncable/package.json usr/share/nodejs/@rails/actioncable
+actioncable/app/assets usr/share/nodejs/@rails/actioncable/app
+actioncable/app/javascript/action_cable/* usr/share/nodejs/@rails/actioncable/src
diff -Nru rails-6.0.3.5+dfsg/RAILS_VERSION rails-6.0.3.7+dfsg/RAILS_VERSION
--- rails-6.0.3.5+dfsg/RAILS_VERSION	2021-02-11 02:00:10.000000000 +0530
+++ rails-6.0.3.7+dfsg/RAILS_VERSION	2021-05-05 21:31:04.000000000 +0530
@@ -1 +1 @@
-6.0.3.5
+6.0.3.7
diff -Nru rails-6.0.3.5+dfsg/version.rb rails-6.0.3.7+dfsg/version.rb
--- rails-6.0.3.5+dfsg/version.rb	2021-02-11 02:00:10.000000000 +0530
+++ rails-6.0.3.7+dfsg/version.rb	2021-05-05 21:31:04.000000000 +0530
@@ -10,7 +10,7 @@
     MAJOR = 6
     MINOR = 0
     TINY  = 3
-    PRE   = "5"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end