Package: rails / 2:4.1.8-1+deb8u4
Metadata
| Package | Version | Patches format |
|---|---|---|
| rails | 2:4.1.8-1+deb8u4 | 3.0 (quilt) |
Patch series
view the series file| Patch | File delta | Description |
|---|---|---|
| be carefull with that bundler.patch | (download) |
railties/lib/rails/generators/app_base.rb |
6 2 + 4 - 0 ! |
be careful with that bundler on Debian, Rails must preferably use Debian packages, while not stopping the users to get stuff from Rubygems if they want. . This way, when creating a new application, we run `bundle install --local` instead of `bundle install`, to make sure bundler does not download anything from Rubygems. That's not because I don't like Rubygems, but because everything the user will need to run this new app (sqlite3, sass-rails, coffee-rails) is already installed by means of Debian packages. If the user does want to use Rubygems packages after that, she will just edit the Gemfile, run `bundle install`, and bundler will do its thing as usual. . This is patch is most probably Debian-specific. |
| CVE 2015 3226.patch | (download) |
activesupport/lib/active_support/json/encoding.rb |
4 4 + 0 - 0 ! |
[patch] escape html entities in json keys Fixes CVE-2015-3226 |
| CVE 2015 3227.patch | (download) |
activesupport/lib/active_support/xml_mini.rb |
3 3 + 0 - 0 ! |
[patch] enforce a depth limit on xml documents XML documents that are too deep can cause an stack overflow, which in turn will cause a potential DoS attack. CVE-2015-3227 |
| CVE 2015 7576.patch | (download) |
actionpack/lib/action_controller/metal/http_authentication.rb |
7 6 + 1 - 0 ! |
[patch] use secure string comparisons for basic auth username / password this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb CVE-2015-7576 |
| CVE 2015 7577.patch | (download) |
activerecord/lib/active_record/nested_attributes.rb |
14 12 + 2 - 0 ! |
[patch] don't short-circuit reject_if proc When updating an associated record via nested attribute hashes the reject_if proc could be bypassed if the _destroy flag was set in the attribute hash and allow_destroy was set to false. The fix is to only short-circuit if the _destroy flag is set and the option allow_destroy is set to true. It also fixes an issue where a new record wasn't created if _destroy was set and the option allow_destroy was set to false. CVE-2015-7577 |
| CVE 2015 7581.patch | (download) |
actionpack/lib/action_dispatch/routing/route_set.rb |
4 1 + 3 - 0 ! |
[patch] remove unnecessary caching `ActiveSupport::Dependencies.constantize(const_name)` calls `Reference.new` which is defined as `ActiveSupport::Dependencies.constantize(const_name)` meaning this call is already cached and we're doing caching that isn't necessary. Conflicts: actionpack/lib/action_dispatch/routing/route_set.rb Conflicts: actionpack/lib/action_dispatch/routing/route_set.rb CVE-2015-7581 |
| CVE 2016 0751.patch | (download) |
actionpack/lib/action_dispatch/http/mime_type.rb |
18 16 + 2 - 0 ! |
[patch] stop caching mime types globally Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751 |
| CVE 2016 0752.patch | (download) |
actionpack/lib/abstract_controller/rendering.rb |
8 7 + 1 - 0 ! |
[patch] allow :file to be outside rails root, but anything else must be inside the rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752 |
| CVE 2016 0753.patch | (download) |
activemodel/lib/active_model/serializers/json.rb |
2 1 + 1 - 0 ! |
[patch] eliminate instance level writers for class accessors Instance level writers can have an impact on how the Active Model / Record objects are saved. Specifically, they can be used to bypass validations. This is a problem if mass assignment protection is disabled and specific attributes are passed to the constructor. Conflicts: activerecord/lib/active_record/scoping/default.rb activesupport/lib/active_support/callbacks.rb CVE-2016-0753 |
| CVE 2016 2097.patch | (download) |
actionpack/test/controller/new_base/render_file_test.rb |
29 0 + 29 - 0 ! |
[patch 1/2] change render "foo" to render a template and not a file. Previously, calling `render "foo/bar"` in a controller action is equivalent to `render file: "foo/bar"`. This has been changed to mean `render template: "foo/bar"` instead. If you need to render a file, please change your code to use the explicit form (`render file: "foo/bar"`) instead. Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`. Fix CVE-2016-2097. |
| CVE 2016 2098.patch | (download) |
actionpack/test/controller/render_test.rb |
24 23 + 1 - 0 ! |
[patch 2/2] don't allow render(params) on views. If `render(params)` is called in a view it should be protected the same way it is in the controllers. We should raise an error if thats happens. Fix CVE-2016-2098. |
| CVE 2016 6316.patch | (download) |
actionview/lib/action_view/helpers/tag_helper.rb |
2 1 + 1 - 0 ! |
ensure tag/content_tag escapes " in attribute vals
Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
CVE-2016-6316
|