Hello community,
here is the log from the commit of package rubygem-activestorage-6.0 for
openSUSE:Factory checked in at 2020-05-28 09:19:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-activestorage-6.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-activestorage-6.0.new.3606 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activestorage-6.0"
Thu May 28 09:19:04 2020 rev:7 rq:809487 version:6.0.3.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-activestorage-6.0/rubygem-activestorage-6.0.changes
2020-05-11 13:38:47.328794969 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-activestorage-6.0.new.3606/rubygem-activestorage-6.0.changes
2020-05-28 09:19:05.741184239 +0200
@@ -1,0 +2,7 @@
+Wed May 27 11:01:23 UTC 2020 - Manuel Schnitzer <[email protected]>
+
+- updated to version 6.0.3.1
+
+ * CVE-2020-8162: Include Content-Length in signature for ActiveStorage
direct upload (bsc#1172163)
+
+-------------------------------------------------------------------
Old:
----
activestorage-6.0.3.gem
New:
----
activestorage-6.0.3.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-activestorage-6.0.spec ++++++
--- /var/tmp/diff_new_pack.CYX5Mo/_old 2020-05-28 09:19:06.725186042 +0200
+++ /var/tmp/diff_new_pack.CYX5Mo/_new 2020-05-28 09:19:06.729186049 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-activestorage-6.0
-Version: 6.0.3
+Version: 6.0.3.1
Release: 0
%define mod_name activestorage
%define mod_full_name %{mod_name}-%{version}
++++++ activestorage-6.0.3.gem -> activestorage-6.0.3.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2020-05-06 20:00:05.000000000 +0200
+++ new/CHANGELOG.md 2020-05-18 17:45:55.000000000 +0200
@@ -1,3 +1,7 @@
+## Rails 6.0.3.1 (May 18, 2020) ##
+
+* [CVE-2020-8162] Include Content-Length in signature for ActiveStorage
direct upload
+
## Rails 6.0.3 (May 06, 2020) ##
* No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_storage/gem_version.rb
new/lib/active_storage/gem_version.rb
--- old/lib/active_storage/gem_version.rb 2020-05-06 20:00:05.000000000
+0200
+++ new/lib/active_storage/gem_version.rb 2020-05-18 17:45:55.000000000
+0200
@@ -10,7 +10,7 @@
MAJOR = 6
MINOR = 0
TINY = 3
- PRE = nil
+ PRE = "1"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_storage/service/s3_service.rb
new/lib/active_storage/service/s3_service.rb
--- old/lib/active_storage/service/s3_service.rb 2020-05-06
20:00:05.000000000 +0200
+++ new/lib/active_storage/service/s3_service.rb 2020-05-18
17:45:55.000000000 +0200
@@ -81,7 +81,8 @@
def url_for_direct_upload(key, expires_in:, content_type:,
content_length:, checksum:)
instrument :url, key: key do |payload|
generated_url = object_for(key).presigned_url :put, expires_in:
expires_in.to_i,
- content_type: content_type, content_length: content_length,
content_md5: checksum
+ content_type: content_type, content_length: content_length,
content_md5: checksum,
+ whitelist_headers: ['content-length']
payload[:url] = generated_url
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2020-05-06 20:00:05.000000000 +0200
+++ new/metadata 2020-05-18 17:45:55.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: activestorage
version: !ruby/object:Gem::Version
- version: 6.0.3
+ version: 6.0.3.1
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2020-05-06 00:00:00.000000000 Z
+date: 2020-05-18 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: actionpack
@@ -16,42 +16,42 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3
+ version: 6.0.3.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3
+ version: 6.0.3.1
- !ruby/object:Gem::Dependency
name: activejob
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3
+ version: 6.0.3.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3
+ version: 6.0.3.1
- !ruby/object:Gem::Dependency
name: activerecord
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3
+ version: 6.0.3.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3
+ version: 6.0.3.1
- !ruby/object:Gem::Dependency
name: marcel
requirement: !ruby/object:Gem::Requirement
@@ -151,10 +151,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v6.0.3/activestorage/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v6.0.3/
+ changelog_uri:
https://github.com/rails/rails/blob/v6.0.3.1/activestorage/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v6.0.3.1/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v6.0.3/activestorage
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.3.1/activestorage
post_install_message:
rdoc_options: []
require_paths:
