Hello community,
here is the log from the commit of package rubygem-actionview-6.0 for
openSUSE:Factory checked in at 2020-09-14 12:28:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionview-6.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionview-6.0.new.4249 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionview-6.0"
Mon Sep 14 12:28:41 2020 rev:9 rq:833957 version:6.0.3.3
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionview-6.0/rubygem-actionview-6.0.changes
2020-06-25 15:11:08.850065543 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-actionview-6.0.new.4249/rubygem-actionview-6.0.changes
2020-09-14 12:29:38.901149157 +0200
@@ -1,0 +2,7 @@
+Sat Sep 12 11:59:04 UTC 2020 - Manuel Schnitzer <[email protected]>
+
+- updated to version 6.0.3.3
+
+ * CVE-2020-8185: Fix potential XSS vulnerability in the `translate/t` helper
(bsc#1173564)
+
+-------------------------------------------------------------------
Old:
----
actionview-6.0.3.2.gem
New:
----
actionview-6.0.3.3.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionview-6.0.spec ++++++
--- /var/tmp/diff_new_pack.QyBzTP/_old 2020-09-14 12:29:39.845149760 +0200
+++ /var/tmp/diff_new_pack.QyBzTP/_new 2020-09-14 12:29:39.853149764 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-actionview-6.0
-Version: 6.0.3.2
+Version: 6.0.3.3
Release: 0
%define mod_name actionview
%define mod_full_name %{mod_name}-%{version}
++++++ actionview-6.0.3.2.gem -> actionview-6.0.3.3.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2020-06-17 16:52:56.000000000 +0200
+++ new/CHANGELOG.md 2020-09-09 20:18:12.000000000 +0200
@@ -1,3 +1,10 @@
+## Rails 6.0.3.3 (September 09, 2020) ##
+
+* [CVE-2020-8185] Fix potential XSS vulnerability in the `translate`/`t`
helper.
+
+ *Jonathan Hefner*
+
+
## Rails 6.0.3.2 (June 17, 2020) ##
* No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_view/gem_version.rb
new/lib/action_view/gem_version.rb
--- old/lib/action_view/gem_version.rb 2020-06-17 16:52:56.000000000 +0200
+++ new/lib/action_view/gem_version.rb 2020-09-09 20:18:12.000000000 +0200
@@ -10,7 +10,7 @@
MAJOR = 6
MINOR = 0
TINY = 3
- PRE = "2"
+ PRE = "3"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_view/helpers/translation_helper.rb
new/lib/action_view/helpers/translation_helper.rb
--- old/lib/action_view/helpers/translation_helper.rb 2020-06-17
16:52:56.000000000 +0200
+++ new/lib/action_view/helpers/translation_helper.rb 2020-09-09
20:18:12.000000000 +0200
@@ -76,13 +76,20 @@
if html_safe_translation_key?(key)
html_safe_options = options.dup
+
options.except(*I18n::RESERVED_KEYS).each do |name, value|
unless name == :count && value.is_a?(Numeric)
html_safe_options[name] = ERB::Util.html_escape(value.to_s)
end
end
+
+ html_safe_options[:default] = MISSING_TRANSLATION unless
html_safe_options[:default].blank?
+
translation = I18n.translate(scope_key_by_partial(key),
**html_safe_options.merge(raise: i18n_raise))
- if translation.respond_to?(:map)
+
+ if translation.equal?(MISSING_TRANSLATION)
+ options[:default].first
+ elsif translation.respond_to?(:map)
translation.map { |element| element.respond_to?(:html_safe) ?
element.html_safe : element }
else
translation.respond_to?(:html_safe) ? translation.html_safe :
translation
@@ -121,6 +128,9 @@
alias :l :localize
private
+ MISSING_TRANSLATION = Object.new
+ private_constant :MISSING_TRANSLATION
+
def scope_key_by_partial(key)
stringified_key = key.to_s
if stringified_key.first == "."
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2020-06-17 16:52:56.000000000 +0200
+++ new/metadata 2020-09-09 20:18:12.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionview
version: !ruby/object:Gem::Version
- version: 6.0.3.2
+ version: 6.0.3.3
platform: ruby
authors:
- David Heinemeier Hansson
-autorequire:
+autorequire:
bindir: bin
cert_chain: []
-date: 2020-06-17 00:00:00.000000000 Z
+date: 2020-09-09 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.2
+ version: 6.0.3.3
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.2
+ version: 6.0.3.3
- !ruby/object:Gem::Dependency
name: builder
requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.2
+ version: 6.0.3.3
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.2
+ version: 6.0.3.3
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.2
+ version: 6.0.3.3
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 6.0.3.2
+ version: 6.0.3.3
description: Simple, battle-tested conventions and helpers for building web
pages.
email: [email protected]
executables: []
@@ -236,11 +236,11 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v6.0.3.2/actionview/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v6.0.3.2/
+ changelog_uri:
https://github.com/rails/rails/blob/v6.0.3.3/actionview/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v6.0.3.3/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v6.0.3.2/actionview
-post_install_message:
+ source_code_uri: https://github.com/rails/rails/tree/v6.0.3.3/actionview
+post_install_message:
rdoc_options: []
require_paths:
- lib
@@ -257,7 +257,7 @@
requirements:
- none
rubygems_version: 3.1.2
-signing_key:
+signing_key:
specification_version: 4
summary: Rendering framework putting the V in MVC (part of Rails).
test_files: []
