Hello community, here is the log from the commit of package rubygem-actionpack-6.0 for openSUSE:Factory checked in at 2020-10-18 16:34:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-6.0 (Old) and /work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.3486 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-6.0" Sun Oct 18 16:34:44 2020 rev:10 rq:842165 version:6.0.3.4 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-actionpack-6.0/rubygem-actionpack-6.0.changes 2020-09-14 12:29:32.849145298 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.3486/rubygem-actionpack-6.0.changes 2020-10-18 16:34:56.192851737 +0200 @@ -1,0 +2,6 @@ +Fri Oct 16 15:10:25 UTC 2020 - Marcus Rueckert <mrueck...@suse.de> + +- update to version 6.0.3.4: CVE-2020-8264 (boo#1177521) + https://weblog.rubyonrails.org/2020/10/7/Rails-6-0-3-4-has-been-released/ + +------------------------------------------------------------------- Old: ---- actionpack-6.0.3.3.gem New: ---- actionpack-6.0.3.4.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-actionpack-6.0.spec ++++++ --- /var/tmp/diff_new_pack.CDlAiv/_old 2020-10-18 16:34:57.048852118 +0200 +++ /var/tmp/diff_new_pack.CDlAiv/_new 2020-10-18 16:34:57.048852118 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-actionpack-6.0 -Version: 6.0.3.3 +Version: 6.0.3.4 Release: 0 %define mod_name actionpack %define mod_full_name %{mod_name}-%{version} ++++++ actionpack-6.0.3.3.gem -> actionpack-6.0.3.4.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2020-09-09 20:23:49.000000000 +0200 +++ new/CHANGELOG.md 2020-10-07 18:48:22.000000000 +0200 @@ -1,3 +1,8 @@ +## Rails 6.0.3.4 (October 07, 2020) ## + +* [CVE-2020-8264] Prevent XSS in Actionable Exceptions + + ## Rails 6.0.3.3 (September 09, 2020) ## * No changes. Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_dispatch/middleware/actionable_exceptions.rb new/lib/action_dispatch/middleware/actionable_exceptions.rb --- old/lib/action_dispatch/middleware/actionable_exceptions.rb 2020-09-09 20:23:49.000000000 +0200 +++ new/lib/action_dispatch/middleware/actionable_exceptions.rb 2020-10-07 18:48:22.000000000 +0200 @@ -1,6 +1,7 @@ # frozen_string_literal: true require "erb" +require "uri" require "action_dispatch/http/request" require "active_support/actionable_error" @@ -27,7 +28,13 @@ end def redirect_to(location) - body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>" + uri = URI.parse location + + if uri.relative? || uri.scheme == "http" || uri.scheme == "https" + body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>" + else + return [400, {"Content-Type" => "text/plain"}, ["Invalid redirection URI"]] + end [302, { "Content-Type" => "text/html; charset=#{Response.default_charset}", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_pack/gem_version.rb new/lib/action_pack/gem_version.rb --- old/lib/action_pack/gem_version.rb 2020-09-09 20:23:49.000000000 +0200 +++ new/lib/action_pack/gem_version.rb 2020-10-07 18:48:22.000000000 +0200 @@ -10,7 +10,7 @@ MAJOR = 6 MINOR = 0 TINY = 3 - PRE = "3" + PRE = "4" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2020-09-09 20:23:49.000000000 +0200 +++ new/metadata 2020-10-07 18:48:22.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: actionpack version: !ruby/object:Gem::Version - version: 6.0.3.3 + version: 6.0.3.4 platform: ruby authors: - David Heinemeier Hansson -autorequire: +autorequire: bindir: bin cert_chain: [] -date: 2020-09-09 00:00:00.000000000 Z +date: 2020-10-07 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: activesupport @@ -16,14 +16,14 @@ requirements: - - '=' - !ruby/object:Gem::Version - version: 6.0.3.3 + version: 6.0.3.4 type: :runtime prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 6.0.3.3 + version: 6.0.3.4 - !ruby/object:Gem::Dependency name: rack requirement: !ruby/object:Gem::Requirement @@ -98,28 +98,28 @@ requirements: - - '=' - !ruby/object:Gem::Version - version: 6.0.3.3 + version: 6.0.3.4 type: :runtime prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 6.0.3.3 + version: 6.0.3.4 - !ruby/object:Gem::Dependency name: activemodel requirement: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 6.0.3.3 + version: 6.0.3.4 type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 6.0.3.3 + version: 6.0.3.4 description: Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server. email: da...@loudthinking.com @@ -310,11 +310,11 @@ - MIT metadata: bug_tracker_uri: https://github.com/rails/rails/issues - changelog_uri: https://github.com/rails/rails/blob/v6.0.3.3/actionpack/CHANGELOG.md - documentation_uri: https://api.rubyonrails.org/v6.0.3.3/ + changelog_uri: https://github.com/rails/rails/blob/v6.0.3.4/actionpack/CHANGELOG.md + documentation_uri: https://api.rubyonrails.org/v6.0.3.4/ mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk - source_code_uri: https://github.com/rails/rails/tree/v6.0.3.3/actionpack -post_install_message: + source_code_uri: https://github.com/rails/rails/tree/v6.0.3.4/actionpack +post_install_message: rdoc_options: [] require_paths: - lib @@ -330,8 +330,8 @@ version: '0' requirements: - none -rubygems_version: 3.1.2 -signing_key: +rubygems_version: 3.1.4 +signing_key: specification_version: 4 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails). test_files: []