Package: rails / 2:4.1.8-1+deb8u4

Metadata

Package Version Patches format
rails 2:4.1.8-1+deb8u4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
be carefull with that bundler.patch | (download)

railties/lib/rails/generators/app_base.rb | 6 2 + 4 - 0 !
1 file changed, 2 insertions(+), 4 deletions(-)

 be careful with that bundler
 on Debian, Rails must preferably use Debian packages, while not stopping the
 users to get stuff from Rubygems if they want.
 .
 This way, when creating a new application, we run `bundle install --local`
 instead of `bundle install`, to make sure bundler does not download anything
 from Rubygems. That's not because I don't like Rubygems, but because
 everything the user will need to run this new app (sqlite3, sass-rails,
 coffee-rails) is already installed by means of Debian packages. If the user
 does want to use Rubygems packages after that, she will just edit the Gemfile,
 run `bundle install`, and bundler will do its thing as usual.
 .
 This is patch is most probably Debian-specific.
CVE 2015 3226.patch | (download)

activesupport/lib/active_support/json/encoding.rb | 4 4 + 0 - 0 !
activesupport/test/json/encoding_test.rb | 7 7 + 0 - 0 !
2 files changed, 11 insertions(+)

 [patch] escape html entities in json keys

Fixes CVE-2015-3226

CVE 2015 3227.patch | (download)

activesupport/lib/active_support/xml_mini.rb | 3 3 + 0 - 0 !
activesupport/lib/active_support/xml_mini/jdom.rb | 11 6 + 5 - 0 !
activesupport/lib/active_support/xml_mini/rexml.rb | 11 6 + 5 - 0 !
3 files changed, 15 insertions(+), 10 deletions(-)

 [patch] enforce a depth limit on xml documents

XML documents that are too deep can cause an stack overflow, which in
turn will cause a potential DoS attack.

CVE-2015-3227

CVE 2015 7576.patch | (download)

actionpack/lib/action_controller/metal/http_authentication.rb | 7 6 + 1 - 0 !
activesupport/lib/active_support/security_utils.rb | 27 27 + 0 - 0 !
2 files changed, 33 insertions(+), 1 deletion(-)

 [patch] use secure string comparisons for basic auth username /
 password

this will avoid timing attacks against applications that use basic auth.

Conflicts:
	activesupport/lib/active_support/security_utils.rb

CVE-2015-7576

CVE 2015 7577.patch | (download)

activerecord/lib/active_record/nested_attributes.rb | 14 12 + 2 - 0 !
activerecord/test/cases/nested_attributes_test.rb | 13 13 + 0 - 0 !
2 files changed, 25 insertions(+), 2 deletions(-)

 [patch] don't short-circuit reject_if proc

When updating an associated record via nested attribute hashes the
reject_if proc could be bypassed if the _destroy flag was set in the
attribute hash and allow_destroy was set to false.

The fix is to only short-circuit if the _destroy flag is set and the
option allow_destroy is set to true. It also fixes an issue where
a new record wasn't created if _destroy was set and the option
allow_destroy was set to false.

CVE-2015-7577

CVE 2015 7581.patch | (download)

actionpack/lib/action_dispatch/routing/route_set.rb | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 [patch] remove unnecessary caching

`ActiveSupport::Dependencies.constantize(const_name)` calls
`Reference.new` which is defined as
`ActiveSupport::Dependencies.constantize(const_name)` meaning this call
is already cached and we're doing caching that isn't necessary.

Conflicts:
	actionpack/lib/action_dispatch/routing/route_set.rb

Conflicts:
	actionpack/lib/action_dispatch/routing/route_set.rb

CVE-2015-7581

CVE 2016 0751.patch | (download)

actionpack/lib/action_dispatch/http/mime_type.rb | 18 16 + 2 - 0 !
1 file changed, 16 insertions(+), 2 deletions(-)

 [patch] stop caching mime types globally

Unknown mime types should not be cached globally.  This global cache
leads to a memory leak and a denial of service vulnerability.

CVE-2016-0751

CVE 2016 0752.patch | (download)

actionpack/lib/abstract_controller/rendering.rb | 8 7 + 1 - 0 !
actionpack/test/controller/render_test.rb | 31 31 + 0 - 0 !
actionview/lib/action_view/lookup_context.rb | 4 4 + 0 - 0 !
actionview/lib/action_view/path_set.rb | 26 19 + 7 - 0 !
actionview/lib/action_view/renderer/abstract_renderer.rb | 2 1 + 1 - 0 !
actionview/lib/action_view/renderer/template_renderer.rb | 2 1 + 1 - 0 !
actionview/lib/action_view/template/resolver.rb | 25 21 + 4 - 0 !
actionview/lib/action_view/testing/resolvers.rb | 4 2 + 2 - 0 !
actionview/test/template/render_test.rb | 7 7 + 0 - 0 !
9 files changed, 93 insertions(+), 16 deletions(-)

 [patch] allow :file to be outside rails root, but anything else must
 be inside the rails view directory

Conflicts:
	actionpack/test/controller/render_test.rb
	actionview/lib/action_view/template/resolver.rb

CVE-2016-0752

CVE 2016 0753.patch | (download)

activemodel/lib/active_model/serializers/json.rb | 2 1 + 1 - 0 !
activemodel/lib/active_model/validations.rb | 3 2 + 1 - 0 !
activerecord/lib/active_record/enum.rb | 2 1 + 1 - 0 !
activerecord/lib/active_record/reflection.rb | 4 2 + 2 - 0 !
activesupport/lib/active_support/callbacks.rb | 2 1 + 1 - 0 !
5 files changed, 7 insertions(+), 6 deletions(-)

 [patch] eliminate instance level writers for class accessors

Instance level writers can have an impact on how the Active Model /
Record objects are saved.  Specifically, they can be used to bypass
validations.  This is a problem if mass assignment protection is
disabled and specific attributes are passed to the constructor.

Conflicts:
	activerecord/lib/active_record/scoping/default.rb
	activesupport/lib/active_support/callbacks.rb

CVE-2016-0753

CVE 2016 2097.patch | (download)

actionpack/test/controller/new_base/render_file_test.rb | 29 0 + 29 - 0 !
actionpack/test/controller/new_base/render_template_test.rb | 9 9 + 0 - 0 !
actionpack/test/controller/render_test.rb | 17 17 + 0 - 0 !
actionview/lib/action_view/rendering.rb | 4 2 + 2 - 0 !
actionview/test/actionpack/controller/render_test.rb | 23 5 + 18 - 0 !
5 files changed, 33 insertions(+), 49 deletions(-)

 [patch 1/2] change render "foo" to render a template and not a file.

Previously, calling `render "foo/bar"` in a controller action is
equivalent to `render file: "foo/bar"`. This has been changed to
mean `render template: "foo/bar"` instead. If you need to render a
file, please change your code to use the explicit form
(`render file: "foo/bar"`) instead.

Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.

Fix CVE-2016-2097.

CVE 2016 2098.patch | (download)

actionpack/test/controller/render_test.rb | 24 23 + 1 - 0 !
actionview/lib/action_view/renderer/renderer.rb | 4 4 + 0 - 0 !
actionview/test/template/render_test.rb | 19 19 + 0 - 0 !
3 files changed, 46 insertions(+), 1 deletion(-)

 [patch 2/2] don't allow render(params) on views.

If `render(params)` is called in a view it should be protected the same
 way it is in the controllers. We should raise an error if thats happens.

Fix CVE-2016-2098.

CVE 2016 6316.patch | (download)

actionview/lib/action_view/helpers/tag_helper.rb | 2 1 + 1 - 0 !
actionview/test/template/tag_helper_test.rb | 10 10 + 0 - 0 !
2 files changed, 11 insertions(+), 1 deletion(-)

 ensure tag/content_tag escapes " in attribute vals

Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`

CVE-2016-6316