Hello community, here is the log from the commit of package rubygem-actionpack-3_2.1539 for openSUSE:12.2:Update checked in at 2013-04-10 22:43:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/rubygem-actionpack-3_2.1539 (Old) and /work/SRC/openSUSE:12.2:Update/.rubygem-actionpack-3_2.1539.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-3_2.1539", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-04-05 00:01:41.916011506 +0200 +++ /work/SRC/openSUSE:12.2:Update/.rubygem-actionpack-3_2.1539.new/rubygem-actionpack-3_2.changes 2013-04-10 22:44:01.000000000 +0200 @@ -0,0 +1,157 @@ +------------------------------------------------------------------- +Tue Apr 2 13:39:10 CEST 2013 - jmassaguer...@suse.com + +- add 2 patches to fix security issues: + - bug-809935_3-2-css_sanitize.patch: + CVE-2013-1855: rubygem-actionpack*: XSS vulnerability in + sanitize_css in Action Pack (bnc#809935) + - bug-809940_3-2-sanitize_protocol.patch: + CVE-2013-1857: rubygem-actionpack*: XSS Vulnerability in the + `sanitize` helper of Ruby on Rails (bnc#809940) + +------------------------------------------------------------------- +Wed Feb 13 23:16:35 UTC 2013 - mrueck...@suse.de + +- update to version 3.2.12 (bnc#803336) CVE-2013-0276: + * Version bump + +------------------------------------------------------------------- +Thu Jan 17 17:48:20 UTC 2013 - mrueck...@suse.de + +- bump sprockets requires to 2.2.1 + +------------------------------------------------------------------- +Thu Jan 17 11:28:55 UTC 2013 - mrueck...@suse.de + +- update to 3.2.11 (bnc#796712, bnc#797449, bnc#797452) + * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] +- additional changes from 3.2.10, 3.2.9 and 3.2.8 + The list is too long. Please see + /usr/lib*/ruby/gems/1.*/gems/actionpack-3.2.11/CHANGELOG.md + +------------------------------------------------------------------- +Thu Aug 2 14:38:46 UTC 2012 - mrueck...@suse.de + +- update to 3.2.7 + - Do not convert digest auth strings to symbols. CVE-2012-3424 + - Bump Journey requirements to 1.0.4 + - Add support for optional root segments containing slashes + - Fixed bug creating invalid HTML in select options + - Show in log correct wrapped keys + - Fix NumberHelper options wrapping to prevent verbatim blocks + being rendered instead of line continuations. + - ActionController::Metal doesn't have logger method, check it + and then delegate + - ActionController::Caching depends on RackDelegation and + AbstractController::Callbacks + - nil is removed from array parameter values CVE-2012-2694 + - Deprecate `:confirm` in favor of `':data => { :confirm => + "Text" }'` option for `button_to`, `button_tag`, + `image_submit_tag`, `link_to` and `submit_tag` helpers. + *Carlos Galdino* + - Allow to use mounted_helpers (helpers for accessing mounted + engines) in ActionView::TestCase. *Piotr Sarnacki* + - Include mounted_helpers (helpers for accessing mounted engines) + in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki* + - Deprecate old APIs for highlight, excerpt and word_wrap *Jeremy + Walker* + - Deprecate `:disable_with` in favor of `'data-disable-with'` + option for `button_to`, `button_tag` and `submit_tag` helpers. + *Carlos Galdino + Rafael Mendonça França* + - Deprecate `:mouseover` option for `image_tag` helper. *Rafael + Mendonça França* + - Deprecate `button_to_function` and `link_to_function` helpers. + *Rafael Mendonça França* + - Don't break Haml with textarea newline fix. GH #393, #4000, + #5190, #5191 + - Fix options handling on labels. GH #2492, #5614 + - Added + config.action_view.embed_authenticity_token_in_remote_forms to + deal with regression from 16ee611fa + - Set rendered_format when doing render :inline. GH #5632 + - Fix the redirect when it receive blocks with arity of 1. Closes + #5677 + - Strip [nil] from parameters hash. Thanks to Ben Murphy for + reporting this! CVE-2012-2660 + +------------------------------------------------------------------- +Mon May 14 12:17:06 UTC 2012 - co...@suse.com + +- add generic provides + +------------------------------------------------------------------- +Mon Apr 23 09:03:39 UTC 2012 - sasc...@suse.de + +- Fix dependencies, (build)require actionpack-3_2, rack-cache-1_2 + and activesupport-3_2 directly (instead of unversioned packages) + +------------------------------------------------------------------- +Wed Apr 4 15:31:30 UTC 2012 - co...@suse.com + +- update to 3.2.3 + * Remove the leading \n added by textarea on assert_select. + *Santiago Pastorino* + * Fix #5632, render :inline set the proper rendered format. + *Santiago Pastorino* + * Fix textarea rendering when using plugins like HAML. Such + plugins encode the first newline character in the content. This + issue was introduced in + https://github.com/rails/rails/pull/5191 *James Coleman* + * Add + `config.action_view.embed_authenticity_token_in_remote_forms` + (defaults to true) which allows to set if authenticity token + will be included by default in remote forms. If you change it + to false, you can still force authenticity token by passing + `:authenticity_token => true` in form options *Piotr Sarnacki* + * Do not include the authenticity token in forms where remote: + true as ajax forms use the meta-tag value *DHH* + * Turn off verbose mode of rack-cache, we still have X-Rack-Cache + to check that info. Closes #5245. *Santiago Pastorino* + * Fix #5238, rendered_format is not set when template is not + rendered. *Piotr Sarnacki* + * Upgrade rack-cache to 1.2. *José Valim* + * ActionController::SessionManagement is deprecated. + *Santiago Pastorino* + * Since the router holds references to many parts of the system + like engines, controllers and the application itself, + inspecting the route set can actually be really slow, therefore + we default alias inspect to to_s. *José Valim* + * Add a new line after the textarea opening tag. Closes #393 + *Rafael Mendonça França* + * Always pass a respond block from to responder. We should let + the responder to decide what to do with the given overridden + response block, and not short circuit it. *sikachu* + * Fixes layout rendering regression from 3.2.2. *José Valim* + ## Rails 3.2.2 (March 1, 2012) ## + * Format lookup for partials is derived from the format in which + the template is being rendered. Closes #5025 part 2 *Santiago + Pastorino* + * Use the right format when a partial is missing. Closes #5025. + *Santiago Pastorino* + * Default responder will now always use your overridden block in + `respond_with` to render your response. *Prem Sichanugrist* + * check_box helper with :disabled => true will generate a + disabled hidden field to conform with the HTML convention where + disabled fields are not submitted with the form. This is a + behavior change, previously the hidden tag had a value of the + disabled checkbox. *Tadas Tamosauskas* + +------------------------------------------------------------------- +Fri Mar 23 10:43:18 UTC 2012 - sasc...@suse.de + +- Spec file cleanup: + * Factory preparation + +------------------------------------------------------------------- +Fri Jan 27 01:03:48 UTC 2012 - mrueck...@suse.de + +- update to 3.2.1 + * Documentation improvements. + * Allow `form.select` to accept ranges (regression). *Jeremy Walker* + * `datetime_select` works with -/+ infinity dates. *Joe Van Dyk* + +------------------------------------------------------------------- +Thu Jan 26 16:37:47 UTC 2012 - mrueck...@suse.de + +- initial package of the 3.2 branch + New: ---- actionpack-3.2.12.gem bug-809935_3-2-css_sanitize.patch bug-809940_3-2-sanitize_protocol.patch rubygem-actionpack-3_2.changes rubygem-actionpack-3_2.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-actionpack-3_2.spec ++++++ # # spec file for package rubygem-actionpack-3_2 # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: rubygem-actionpack-3_2 Version: 3.2.12 Release: 0 %define mod_name actionpack %define mod_full_name %{mod_name}-%{version} # # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: rubygems_with_buildroot_patch %rubygems_requires Requires: ruby >= 1.8.7 BuildRequires: ruby-devel >= 1.8.7 # activesupport = 3.2.12 BuildRequires: rubygem-activesupport-3_2 = 3.2.12 Requires: rubygem-activesupport-3_2 = 3.2.12 # activemodel = 3.2.12 BuildRequires: rubygem-activemodel-3_2 = 3.2.12 Requires: rubygem-activemodel-3_2 = 3.2.12 # rack-cache ~> 1.2 BuildRequires: rubygem-rack-cache-1_2 >= 1.2 Requires: rubygem-rack-cache-1_2 >= 1.2 # builder ~> 3.0.0 BuildRequires: rubygem-builder-3_0 >= 3.0.0 Requires: rubygem-builder-3_0 >= 3.0.0 # rack ~> 1.4.0 BuildRequires: rubygem-rack-1_4 >= 1.4.5 Requires: rubygem-rack-1_4 >= 1.4.5 # rack-test ~> 0.6.1 BuildRequires: rubygem-rack-test-0_6 >= 0.6.1 Requires: rubygem-rack-test-0_6 >= 0.6.1 # journey ~> 1.0.4 BuildRequires: rubygem-journey-1_0 >= 1.0.4 Requires: rubygem-journey-1_0 >= 1.0.4 # sprockets ~> 2.1.3 BuildRequires: rubygem-sprockets-2_2 >= 2.2.1 Requires: rubygem-sprockets-2_2 >= 2.2.1 # erubis ~> 2.7.0 BuildRequires: rubygem-erubis-2_7 >= 2.7.0 Requires: rubygem-erubis-2_7 >= 2.7.0 Provides: rubygem-%{mod_name} = %{version} Provides: rubygem-%{mod_name}-3 = %{version} # Url: http://www.rubyonrails.org Source: %{mod_full_name}.gem Source1: bug-809935_3-2-css_sanitize.patch Source2: bug-809940_3-2-sanitize_protocol.patch # Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT Group: Development/Languages/Ruby %description Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server. %package doc Summary: RDoc documentation for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description doc Documentation generated at gem installation time. Usually in RDoc and RI formats. %prep %build %install %gem_install %{S:0} pushd %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version} patch -p2 < %{S:1} patch -p2 < %{S:2} popd %files %defattr(-,root,root,-) %{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ %{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec %files doc %defattr(-,root,root,-) %doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/ %changelog ++++++ bug-809935_3-2-css_sanitize.patch ++++++ diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index af06bff..02eea58 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -110,8 +110,8 @@ module HTML style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') # gauntlet - if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ || - style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/ + if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ || + style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/ return '' end @@ -122,7 +122,7 @@ module HTML elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) unless val.split().any? do |keyword| !allowed_css_keywords.include?(keyword) && - keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/ + keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ end clean << prop + ': ' + val + ';' end ++++++ bug-809940_3-2-sanitize_protocol.patch ++++++ diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index 02eea58..994e115 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -66,7 +66,7 @@ module HTML # A regular expression of the valid characters used to separate protocols like # the ':' in 'http://foo.com' - self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/ + self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i # Specifies a Set of HTML attributes that can have URIs. self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc)) @@ -171,7 +171,7 @@ module HTML def contains_bad_protocols?(attr_name, value) uri_attributes.include?(attr_name) && - (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase)) + (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip)) end end end -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org