Hello community,
here is the log from the commit of package rubygem-actionview-4_2 for
openSUSE:Factory checked in at 2016-03-07 13:27:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionview-4_2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionview-4_2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionview-4_2"
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionview-4_2/rubygem-actionview-4_2.changes
2016-03-01 09:41:50.000000000 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-actionview-4_2.new/rubygem-actionview-4_2.changes
2016-03-07 13:27:56.000000000 +0100
@@ -1,0 +2,22 @@
+Tue Mar 1 05:31:26 UTC 2016 - [email protected]
+
+- updated to version 4.2.5.2
+ see installed CHANGELOG.md
+
+ ## Rails 4.2.5.2 (February 26, 2016) ##
+
+ * Do not allow render with unpermitted parameter.
+
+ Fixes CVE-2016-2098.
+
+ *Arthur Neves*
+
+
+ ## Rails 4.2.5.1 (January 25, 2015) ##
+
+ * Adds boolean argument outside_app_allowed to
`ActionView::Resolver#find_templates`
+ method.
+
+ *Aaron Patterson*
+
+-------------------------------------------------------------------
Old:
----
actionview-4.2.5.1.gem
New:
----
actionview-4.2.5.2.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionview-4_2.spec ++++++
--- /var/tmp/diff_new_pack.mH8KYa/_old 2016-03-07 13:27:57.000000000 +0100
+++ /var/tmp/diff_new_pack.mH8KYa/_new 2016-03-07 13:27:57.000000000 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-actionview-4_2
-Version: 4.2.5.1
+Version: 4.2.5.2
Release: 0
%define mod_name actionview
%define mod_full_name %{mod_name}-%{version}
++++++ actionview-4.2.5.1.gem -> actionview-4.2.5.2.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2016-01-25 19:25:06.000000000 +0100
+++ new/CHANGELOG.md 2016-02-29 20:16:10.000000000 +0100
@@ -1,3 +1,20 @@
+## Rails 4.2.5.2 (February 26, 2016) ##
+
+* Do not allow render with unpermitted parameter.
+
+ Fixes CVE-2016-2098.
+
+ *Arthur Neves*
+
+
+## Rails 4.2.5.1 (January 25, 2015) ##
+
+* Adds boolean argument outside_app_allowed to
`ActionView::Resolver#find_templates`
+ method.
+
+ *Aaron Patterson*
+
+
## Rails 4.2.5 (November 12, 2015) ##
* Fix `mail_to` when called with `nil` as argument.
Files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_view/gem_version.rb
new/lib/action_view/gem_version.rb
--- old/lib/action_view/gem_version.rb 2016-01-25 19:25:06.000000000 +0100
+++ new/lib/action_view/gem_version.rb 2016-02-29 20:16:10.000000000 +0100
@@ -8,7 +8,7 @@
MAJOR = 4
MINOR = 2
TINY = 5
- PRE = "1"
+ PRE = "2"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_view/renderer/renderer.rb
new/lib/action_view/renderer/renderer.rb
--- old/lib/action_view/renderer/renderer.rb 2016-01-25 19:25:06.000000000
+0100
+++ new/lib/action_view/renderer/renderer.rb 2016-02-29 20:16:10.000000000
+0100
@@ -17,6 +17,10 @@
# Main render entry point shared by AV and AC.
def render(context, options)
+ if options.respond_to?(:permitted?) && !options.permitted?
+ raise ArgumentError, "render parameters are not permitted"
+ end
+
if options.key?(:partial)
render_partial(context, options)
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_view/template/resolver.rb
new/lib/action_view/template/resolver.rb
--- old/lib/action_view/template/resolver.rb 2016-01-25 19:25:06.000000000
+0100
+++ new/lib/action_view/template/resolver.rb 2016-02-29 20:16:10.000000000
+0100
@@ -130,8 +130,8 @@
# This is what child classes implement. No defaults are needed
# because Resolver guarantees that the arguments are present and
# normalized.
- def find_templates(name, prefix, partial, details)
- raise NotImplementedError, "Subclasses must implement a
find_templates(name, prefix, partial, details) method"
+ def find_templates(name, prefix, partial, details, outside_app_allowed)
+ raise NotImplementedError, "Subclasses must implement a
find_templates(name, prefix, partial, details, outside_app_allowed) method"
end
# Helpers that builds a path. Useful for building virtual paths.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2016-01-25 19:25:06.000000000 +0100
+++ new/metadata 2016-02-29 20:16:10.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionview
version: !ruby/object:Gem::Version
- version: 4.2.5.1
+ version: 4.2.5.2
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2016-01-25 00:00:00.000000000 Z
+date: 2016-02-29 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 4.2.5.1
+ version: 4.2.5.2
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 4.2.5.1
+ version: 4.2.5.2
- !ruby/object:Gem::Dependency
name: builder
requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 4.2.5.1
+ version: 4.2.5.2
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 4.2.5.1
+ version: 4.2.5.2
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 4.2.5.1
+ version: 4.2.5.2
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 4.2.5.1
+ version: 4.2.5.2
description: Simple, battle-tested conventions and helpers for building web
pages.
email: [email protected]
executables: []
