Hello community, here is the log from the commit of package rubygem-loofah for openSUSE:Factory checked in at 2018-03-26 13:07:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-loofah (Old) and /work/SRC/openSUSE:Factory/.rubygem-loofah.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-loofah" Mon Mar 26 13:07:03 2018 rev:7 rq:590676 version:2.2.2 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-loofah/rubygem-loofah.changes 2018-03-22 12:08:51.621623304 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-loofah.new/rubygem-loofah.changes 2018-03-26 13:07:08.316556279 +0200 @@ -1,0 +2,8 @@ +Fri Mar 23 10:15:28 UTC 2018 - [email protected] + +- update to version 2.2.2 + + * Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!, which was previously a private method. + This is so that downstream gems (like rails-html-sanitizer) can use this logic directly for their own attribute scrubbers should they need to address CVE-2018-8048. + +------------------------------------------------------------------- Old: ---- loofah-2.2.1.gem New: ---- loofah-2.2.2.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-loofah.spec ++++++ --- /var/tmp/diff_new_pack.vjayN4/_old 2018-03-26 13:07:09.952497469 +0200 +++ /var/tmp/diff_new_pack.vjayN4/_new 2018-03-26 13:07:09.952497469 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-loofah -Version: 2.2.1 +Version: 2.2.2 Release: 0 %define mod_name loofah %define mod_full_name %{mod_name}-%{version} ++++++ loofah-2.2.1.gem -> loofah-2.2.2.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2018-03-19 21:22:58.000000000 +0100 +++ new/CHANGELOG.md 2018-03-22 16:10:40.000000000 +0100 @@ -1,5 +1,13 @@ # Changelog +## 2.2.2 / 2018-03-22 + +Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, +which was previously a private method. This is so that downstream gems +(like rails-html-sanitizer) can use this logic directly for their own +attribute scrubbers should they need to address CVE-2018-8048. + + ## 2.2.1 / 2018-03-19 Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/loofah/html5/scrub.rb new/lib/loofah/html5/scrub.rb --- old/lib/loofah/html5/scrub.rb 2018-03-19 21:22:58.000000000 +0100 +++ new/lib/loofah/html5/scrub.rb 2018-03-22 16:10:40.000000000 +0100 @@ -101,8 +101,6 @@ Crass::Parser.stringify sanitized_tree end - private - # # libxml2 >= 2.9.2 fails to escape comments within some attributes. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/loofah.rb new/lib/loofah.rb --- old/lib/loofah.rb 2018-03-19 21:22:58.000000000 +0100 +++ new/lib/loofah.rb 2018-03-22 16:10:40.000000000 +0100 @@ -28,7 +28,7 @@ # module Loofah # The version of Loofah you are using - VERSION = '2.2.1' + VERSION = '2.2.2' class << self # Shortcut for Loofah::HTML::Document.parse diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2018-03-19 21:22:58.000000000 +0100 +++ new/metadata 2018-03-22 16:10:40.000000000 +0100 @@ -1,7 +1,7 @@ --- !ruby/object:Gem::Specification name: loofah version: !ruby/object:Gem::Version - version: 2.2.1 + version: 2.2.2 platform: ruby authors: - Mike Dalessio @@ -9,7 +9,7 @@ autorequire: bindir: bin cert_chain: [] -date: 2018-03-19 00:00:00.000000000 Z +date: 2018-03-22 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: nokogiri diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/integration/test_ad_hoc.rb new/test/integration/test_ad_hoc.rb --- old/test/integration/test_ad_hoc.rb 2018-03-19 21:22:58.000000000 +0100 +++ new/test/integration/test_ad_hoc.rb 2018-03-22 16:10:40.000000000 +0100 @@ -231,7 +231,7 @@ attributes = reparsed.at_css(config[:tag]).attribute_nodes assert_equal [config[:attr]], attributes.collect(&:name) - if Nokogiri::VersionInfo.new.libxml2? + if Nokogiri::VersionInfo.instance.libxml2? if config[:unescaped] # # this attribute was emitted wrapped in single-quotes, so a double quote is A-OK.
