Package: rails / 2.3.5-1.2+squeeze8

Metadata

Package Version Patches format
rails 2.3.5-1.2+squeeze8 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
debian changes 2.3.5 1 | (download)

actionmailer/lib/action_mailer.rb | 2 1 + 1 - 0 !
actionmailer/lib/action_mailer/vendor/text_format.rb | 4 2 + 2 - 0 !
actionmailer/lib/action_mailer/vendor/tmail.rb | 4 2 + 2 - 0 !
actionpack/lib/action_controller.rb | 8 6 + 2 - 0 !
actionpack/test/abstract_unit.rb | 3 2 + 1 - 0 !
activemodel/test/test_helper.rb | 3 2 + 1 - 0 !
activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb | 2 1 + 1 - 0 !
activesupport/lib/active_support/vendor.rb | 11 10 + 1 - 0 !
rails | 3 3 + 0 - 0 !
railties/Rakefile | 2 1 + 1 - 0 !
railties/guides/rails_guides.rb | 14 7 + 7 - 0 !
railties/lib/commands/server.rb | 2 1 + 1 - 0 !
railties/lib/rails_generator/commands.rb | 11 11 + 0 - 0 !
railties/lib/rails_generator/generators/applications/app/app_generator.rb | 7 7 + 0 - 0 !
14 files changed, 56 insertions(+), 20 deletions(-)

 upstream changes introduced in version 2.3.5-1
 This patch has been created by dpkg-source during the package build.
 Here's the last changelog entry, hopefully it gives details on why
 those changes were made:
 .
 rails (2.3.5-1) unstable; urgency=low
 .
   * New upstream release (closes: #547658)
   * Package is now split up and non-core rails components, like AR, are on
     the ruby load path. (closes: #469524, #517328)
   * debian/control
     + Depend on rubygems.
     + Suggest thin or thin1.8 as a possible server to run your production
       environment on. This is particularly useful if it is already being
       proxied.
     + xml-simple is no longer used by rails
     + Updated Standard to 3.8.4
 .
 The person named in the Author field signed this changelog entry.
debian changes 2.3.5 1.1 | (download)

railties/lib/rails_generator/generators/applications/app/app_generator.rb | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 upstream changes introduced in version 2.3.5-1.1
 This patch has been created by dpkg-source during the package build.
 Here's the last changelog entry, hopefully it gives details on why
 those changes were made:
 .
 rails (2.3.5-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Added missing build-dependencies for rails-ruby1.8 on libactionpack-
     ruby1.8, libactionmailer-ruby1.8 and libactiveresource-ruby1.8
     (Closes: #587048)
   * Fixed broken symlink to railties on new project generator (Closes:
     #583219)
 .
 The person named in the Author field signed this changelog entry.
debian changes 2.3.5 1.2 | (download)

railties/lib/commands/server.rb | 2 1 + 1 - 0 !
railties/lib/initializer.rb | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 upstream changes introduced in version 2.3.5-1.2
 This patch has been created by dpkg-source during the package build.
 Here's the last changelog entry, hopefully it gives details on why
 those changes were made:
 .
 rails (2.3.5-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
 .
   [ Laurent Bigonville ]
   * Fix documentation about default listening address (Closes: #583149)
 .
   [ Gunnar Wolf ]
   * Modified a string that recommends the user to do Very Bad Things
     (Closes: #603048)
 .
 The person named in the Author field signed this changelog entry.
0001 Be sure to javascript_escape the email address to pr.patch | (download)

actionpack/lib/action_view/helpers/url_helper.rb | 3 2 + 1 - 0 !
actionpack/test/template/url_helper_test.rb | 8 4 + 4 - 0 !
2 files changed, 6 insertions(+), 5 deletions(-)

 [patch 1/2] be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors.

This fixes CVE-2011-0446

0002 Change the CSRF whitelisting to only apply to get re.patch | (download)

actionpack/lib/action_controller/request_forgery_protection.rb | 15 9 + 6 - 0 !
actionpack/lib/action_view/helpers.rb | 2 2 + 0 - 0 !
actionpack/lib/action_view/helpers/csrf_helper.rb | 14 14 + 0 - 0 !
actionpack/test/controller/request_forgery_protection_test.rb | 216 92 + 124 - 0 !
4 files changed, 117 insertions(+), 130 deletions(-)

 [patch 2/2] change the csrf whitelisting to only apply to get requests

Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447

CVE 2011 2930.patch | (download)

activerecord/lib/active_record/connection_adapters/mysql_adapter.rb | 2 1 + 1 - 0 !
activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb | 2 1 + 1 - 0 !
activerecord/test/cases/base_test.rb | 17 17 + 0 - 0 !
3 files changed, 19 insertions(+), 2 deletions(-)

---
CVE 2011 2931.patch | (download)

actionpack/lib/action_controller/vendor/html-scanner/html/node.rb | 2 1 + 1 - 0 !
actionpack/test/controller/html-scanner/sanitizer_test.rb | 7 7 + 0 - 0 !
2 files changed, 8 insertions(+), 1 deletion(-)

---
CVE 2011 3186.patch | (download)

actionpack/lib/action_controller/response.rb | 3 2 + 1 - 0 !
actionpack/test/controller/content_type_test.rb | 10 10 + 0 - 0 !
2 files changed, 12 insertions(+), 1 deletion(-)

---
CVE 2012 1099.patch | (download)

actionpack/lib/action_view/helpers/form_options_helper.rb | 5 3 + 2 - 0 !
actionpack/test/template/form_options_helper_test.rb | 9 8 + 1 - 0 !
2 files changed, 11 insertions(+), 3 deletions(-)

---
2 3 dynamic_finder_injection.patch | (download)

activerecord/lib/active_record/base.rb | 6 5 + 1 - 0 !
activerecord/test/cases/finder_test.rb | 12 12 + 0 - 0 !
2 files changed, 17 insertions(+), 1 deletion(-)

 [patch] cve-2012-5664 options hashes should only be extracted if
 there are extra parameters


CVE 2013 0156.patch | (download)

actionpack/test/controller/webservice_test.rb | 13 13 + 0 - 0 !
activesupport/lib/active_support/core_ext/hash/conversions.rb | 31 24 + 7 - 0 !
activesupport/test/core_ext/hash_ext_test.rb | 30 23 + 7 - 0 !
3 files changed, 60 insertions(+), 14 deletions(-)

 [patch] cve-2013-0156: safe xml params parsing. doesn't allow
 symbols or yaml.


CVE 2013 0155.patch | (download)

activerecord/lib/active_record/base.rb | 12 8 + 4 - 0 !
activerecord/test/cases/finder_test.rb | 16 16 + 0 - 0 !
2 files changed, 24 insertions(+), 4 deletions(-)

 fix for cve-2013-0155
 This includes the patch released in the updated announcement for CVE-2013-0155
 plus some previous changes that it requires.
 .
CVE 2013 0333.patch | (download)

activesupport/lib/active_support/json/backends/okjson.rb | 644 644 + 0 - 0 !
activesupport/lib/active_support/json/backends/yaml.rb | 68 1 + 67 - 0 !
activesupport/lib/active_support/json/decoding.rb | 5 4 + 1 - 0 !
activesupport/test/json/decoding_test.rb | 4 2 + 2 - 0 !
4 files changed, 651 insertions(+), 70 deletions(-)

 [patch] add an okjson backend and remove the yaml backend

Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.

CVE 2013 0276.patch | (download)

activerecord/lib/active_record/attribute_methods.rb | 2 1 + 1 - 0 !
activerecord/lib/active_record/base.rb | 6 3 + 3 - 0 !
2 files changed, 4 insertions(+), 4 deletions(-)

 [patch] fixing attr_protected cve-2013-0276


CVE 2013 0277.patch | (download)

activerecord/lib/active_record/attribute_methods.rb | 17 16 + 1 - 0 !
activerecord/test/cases/base_test.rb | 6 6 + 0 - 0 !
2 files changed, 22 insertions(+), 1 deletion(-)

 [patch] fix serialization vulnerability


CVE 2013 1854.patch | (download)

activerecord/lib/active_record/base.rb | 2 1 + 1 - 0 !
activerecord/lib/active_record/reflection.rb | 2 1 + 1 - 0 !
activesupport/lib/active_support/core_ext/class/inheritable_attributes.rb | 5 5 + 0 - 0 !
3 files changed, 7 insertions(+), 2 deletions(-)

---
CVE 2013 1855.patch | (download)

actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 8 4 + 4 - 0 !
actionpack/test/controller/html-scanner/sanitizer_test.rb | 5 5 + 0 - 0 !
2 files changed, 9 insertions(+), 4 deletions(-)

---
CVE 2013 1857.patch | (download)

actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 8 4 + 4 - 0 !
actionpack/test/controller/html-scanner/sanitizer_test.rb | 14 14 + 0 - 0 !
2 files changed, 18 insertions(+), 4 deletions(-)

---
backport html_safe.patch | (download)

actionmailer/test/fixtures/helpers/example_helper.rb | 2 1 + 1 - 0 !
actionpack/lib/action_controller/caching/fragments.rb | 2 1 + 1 - 0 !
actionpack/lib/action_controller/rack_lint_patch.rb | 2 1 + 1 - 0 !
actionpack/lib/action_view.rb | 3 1 + 2 - 0 !
actionpack/lib/action_view/erb/util.rb | 44 0 + 44 - 0 !
actionpack/lib/action_view/helpers/active_record_helper.rb | 12 6 + 6 - 0 !
actionpack/lib/action_view/helpers/asset_tag_helper.rb | 4 2 + 2 - 0 !
actionpack/lib/action_view/helpers/capture_helper.rb | 4 2 + 2 - 0 !
actionpack/lib/action_view/helpers/date_helper.rb | 16 8 + 8 - 0 !
actionpack/lib/action_view/helpers/debug_helper.rb | 4 2 + 2 - 0 !
actionpack/lib/action_view/helpers/form_helper.rb | 4 2 + 2 - 0 !
actionpack/lib/action_view/helpers/form_options_helper.rb | 2 1 + 1 - 0 !
actionpack/lib/action_view/helpers/form_tag_helper.rb | 6 3 + 3 - 0 !
actionpack/lib/action_view/helpers/number_helper.rb | 2 1 + 1 - 0 !
actionpack/lib/action_view/helpers/prototype_helper.rb | 4 2 + 2 - 0 !
actionpack/lib/action_view/helpers/raw_output_helper.rb | 4 2 + 2 - 0 !
actionpack/lib/action_view/helpers/sanitize_helper.rb | 12 2 + 10 - 0 !
actionpack/lib/action_view/helpers/tag_helper.rb | 10 5 + 5 - 0 !
actionpack/lib/action_view/helpers/text_helper.rb | 2 1 + 1 - 0 !
actionpack/lib/action_view/helpers/translation_helper.rb | 4 2 + 2 - 0 !
actionpack/lib/action_view/helpers/url_helper.rb | 8 4 + 4 - 0 !
actionpack/lib/action_view/partials.rb | 2 1 + 1 - 0 !
actionpack/lib/action_view/safe_buffer.rb | 28 0 + 28 - 0 !
actionpack/lib/action_view/test_case.rb | 4 2 + 2 - 0 !
actionpack/test/controller/caching_test.rb | 4 2 + 2 - 0 !
actionpack/test/controller/output_escaping_test.rb | 19 19 + 0 - 0 !
actionpack/test/template/erb_util_test.rb | 12 12 + 0 - 0 !
actionpack/test/template/form_helper_test.rb | 2 1 + 1 - 0 !
actionpack/test/template/form_tag_helper_test.rb | 6 3 + 3 - 0 !
actionpack/test/template/text_helper_test.rb | 2 1 + 1 - 0 !
actionpack/test/view/safe_buffer_test.rb | 36 0 + 36 - 0 !
activesupport/lib/active_support.rb | 1 1 + 0 - 0 !
activesupport/lib/active_support/core_ext/string.rb | 1 0 + 1 - 0 !
activesupport/lib/active_support/core_ext/string/output_safety.rb | 161 117 + 44 - 0 !
activesupport/test/core_ext/string_ext_test.rb | 65 36 + 29 - 0 !
activesupport/test/safe_buffer_test.rb | 36 36 + 0 - 0 !
36 files changed, 280 insertions(+), 250 deletions(-)

---
CVE 2011 2932.patch | (download)

activesupport/lib/active_support/core_ext/string/output_safety.rb | 2 1 + 1 - 0 !
activesupport/test/core_ext/string_ext_test.rb | 7 7 + 0 - 0 !
2 files changed, 8 insertions(+), 1 deletion(-)

---
CVE 2012 3465.patch | (download)

actionpack/lib/action_view/helpers/sanitize_helper.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---