Hello community,

here is the log from the commit of package rubygem-actionpack-6.0 for 
openSUSE:Factory checked in at 2020-10-18 16:34:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-6.0 (Old)
 and      /work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.3486 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "rubygem-actionpack-6.0"

Sun Oct 18 16:34:44 2020 rev:10 rq:842165 version:6.0.3.4

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/rubygem-actionpack-6.0/rubygem-actionpack-6.0.changes
    2020-09-14 12:29:32.849145298 +0200
+++ 
/work/SRC/openSUSE:Factory/.rubygem-actionpack-6.0.new.3486/rubygem-actionpack-6.0.changes
  2020-10-18 16:34:56.192851737 +0200
@@ -1,0 +2,6 @@
+Fri Oct 16 15:10:25 UTC 2020 - Marcus Rueckert <mrueck...@suse.de>
+
+- update to version 6.0.3.4: CVE-2020-8264 (boo#1177521)
+  https://weblog.rubyonrails.org/2020/10/7/Rails-6-0-3-4-has-been-released/
+
+-------------------------------------------------------------------

Old:
----
  actionpack-6.0.3.3.gem

New:
----
  actionpack-6.0.3.4.gem

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rubygem-actionpack-6.0.spec ++++++
--- /var/tmp/diff_new_pack.CDlAiv/_old  2020-10-18 16:34:57.048852118 +0200
+++ /var/tmp/diff_new_pack.CDlAiv/_new  2020-10-18 16:34:57.048852118 +0200
@@ -24,7 +24,7 @@
 #
 
 Name:           rubygem-actionpack-6.0
-Version:        6.0.3.3
+Version:        6.0.3.4
 Release:        0
 %define mod_name actionpack
 %define mod_full_name %{mod_name}-%{version}

++++++ actionpack-6.0.3.3.gem -> actionpack-6.0.3.4.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md    2020-09-09 20:23:49.000000000 +0200
+++ new/CHANGELOG.md    2020-10-07 18:48:22.000000000 +0200
@@ -1,3 +1,8 @@
+## Rails 6.0.3.4 (October 07, 2020) ##
+
+*   [CVE-2020-8264] Prevent XSS in Actionable Exceptions
+
+
 ## Rails 6.0.3.3 (September 09, 2020) ##
 
 *   No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/lib/action_dispatch/middleware/actionable_exceptions.rb 
new/lib/action_dispatch/middleware/actionable_exceptions.rb
--- old/lib/action_dispatch/middleware/actionable_exceptions.rb 2020-09-09 
20:23:49.000000000 +0200
+++ new/lib/action_dispatch/middleware/actionable_exceptions.rb 2020-10-07 
18:48:22.000000000 +0200
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "erb"
+require "uri"
 require "action_dispatch/http/request"
 require "active_support/actionable_error"
 
@@ -27,7 +28,13 @@
       end
 
       def redirect_to(location)
-        body = "<html><body>You are being <a 
href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+        uri = URI.parse location
+
+        if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
+          body = "<html><body>You are being <a 
href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+        else
+          return [400, {"Content-Type" => "text/plain"}, ["Invalid redirection 
URI"]]
+        end
 
         [302, {
           "Content-Type" => "text/html; charset=#{Response.default_charset}",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb 
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb  2020-09-09 20:23:49.000000000 +0200
+++ new/lib/action_pack/gem_version.rb  2020-10-07 18:48:22.000000000 +0200
@@ -10,7 +10,7 @@
     MAJOR = 6
     MINOR = 0
     TINY  = 3
-    PRE   = "3"
+    PRE   = "4"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata        2020-09-09 20:23:49.000000000 +0200
+++ new/metadata        2020-10-07 18:48:22.000000000 +0200
@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.0.3.3
+  version: 6.0.3.4
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-09 00:00:00.000000000 Z
+date: 2020-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.3
+        version: 6.0.3.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.3
+        version: 6.0.3.4
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.3
+        version: 6.0.3.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.3
+        version: 6.0.3.4
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.3
+        version: 6.0.3.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.3
+        version: 6.0.3.4
 description: Web apps on Rails. Simple, battle-tested conventions for building 
and
   testing MVC web applications. Works with any Rack-compatible server.
 email: da...@loudthinking.com
@@ -310,11 +310,11 @@
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: 
https://github.com/rails/rails/blob/v6.0.3.3/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.0.3.3/
+  changelog_uri: 
https://github.com/rails/rails/blob/v6.0.3.4/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.0.3.4/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.0.3.3/actionpack
-post_install_message: 
+  source_code_uri: https://github.com/rails/rails/tree/v6.0.3.4/actionpack
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -330,8 +330,8 @@
       version: '0'
 requirements:
 - none
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of 
Rails).
 test_files: []


Reply via email to