Package: rails | Debian Sources

Package: rails / 2:5.2.2.1+dfsg-1+deb10u3

Metadata

Package	Version	Patches format
rails	2:5.2.2.1+dfsg-1+deb10u3	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
0001 Be careful with that bundler.patch \| (download)	railties/lib/rails/generators/app_base.rb \| 5 2 + 3 - 0 ! 1 file changed, 2 insertions(+), 3 deletions(-)	be careful with that bundler
0002 disable uglify in activestorage rollup config js.patch \| (download)	activestorage/rollup.config.js \| 16 10 + 6 - 0 ! 1 file changed, 10 insertions(+), 6 deletions(-)	rollup-plugin-uglify is not packaged, hence disabling it.
CVE 2020 5267.patch \| (download)	actionview/lib/action_view/helpers/javascript_helper.rb \| 6 4 + 2 - 0 ! actionview/test/template/javascript_helper_test.rb \| 8 8 + 0 - 0 ! 2 files changed, 12 insertions(+), 2 deletions(-)	fix possible xss vector in js escape helper This commit escapes dollar signs and backticks to prevent JS XSS issues when using the `j` or `javascript_escape` helper
CVE 2020 8165.patch \| (download)	activesupport/lib/active_support/cache/mem_cache_store.rb \| 14 2 + 12 - 0 ! activesupport/lib/active_support/cache/redis_cache_store.rb \| 27 16 + 11 - 0 ! activesupport/test/cache/behaviors/cache_increment_decrement_behavior.rb \| 12 6 + 6 - 0 ! activesupport/test/cache/behaviors/cache_store_behavior.rb \| 6 3 + 3 - 0 ! activesupport/test/cache/behaviors/encoded_key_cache_behavior.rb \| 8 4 + 4 - 0 ! activesupport/test/cache/behaviors/local_cache_behavior.rb \| 10 5 + 5 - 0 ! activesupport/test/cache/stores/mem_cache_store_test.rb \| 4 2 + 2 - 0 ! activesupport/test/cache/stores/redis_cache_store_test.rb \| 3 2 + 1 - 0 ! 8 files changed, 40 insertions(+), 44 deletions(-)	[patch] activesupport: deprecate marshal.load on raw cache read in RedisCacheStore
CVE 2020 8162.patch \| (download)	activestorage/lib/active_storage/service/s3_service.rb \| 3 2 + 1 - 0 ! activestorage/test/service/s3_service_test.rb \| 23 23 + 0 - 0 ! 2 files changed, 25 insertions(+), 1 deletion(-)	[patch] include content-length in signature for activestorage direct upload [CVE-2020-8162]
CVE 2020 8164.patch \| (download)	actionpack/lib/action_controller/metal/strong_parameters.rb \| 2 2 + 0 - 0 ! actionpack/test/controller/parameters/accessors_test.rb \| 8 8 + 0 - 0 ! 2 files changed, 10 insertions(+)	[patch] return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash [CVE-2020-8164]
CVE 2020 8166.patch \| (download)	actionpack/lib/action_controller/metal/request_forgery_protection.rb \| 33 29 + 4 - 0 ! actionpack/test/controller/request_forgery_protection_test.rb \| 33 33 + 0 - 0 ! 2 files changed, 62 insertions(+), 4 deletions(-)	[patch] hmac raw csrf token before masking it, so it cannot be used to reconstruct a per-form token [CVE-2020-8166]
CVE 2020 8167.patch \| (download)	actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee \| 7 4 + 3 - 0 ! 1 file changed, 4 insertions(+), 3 deletions(-)	[patch] check that request is same-origin prior to including csrf token in XHRs [CVE-2020-8167]
CVE 2020 15169.patch \| (download)	actionview/lib/action_view/helpers/translation_helper.rb \| 13 12 + 1 - 0 ! actionview/test/template/translation_helper_test.rb \| 7 7 + 0 - 0 ! 2 files changed, 19 insertions(+), 1 deletion(-)	[patch] fix xss vulnerability in `translate` helper Prior to this commit, when a translation key indicated that the translation text was HTML, the value returned by `I18n.translate` would always be marked as `html_safe`. However, the value returned by `I18n.translate` could be an untrusted value directly from `options[:default]`. This commit ensures values directly from `options[:default]` are not marked as `html_safe`.
CVE 2021 22904.patch \| (download)	actionpack/lib/action_controller/metal/http_authentication.rb \| 2 1 + 1 - 0 ! actionpack/test/controller/http_token_authentication_test.rb \| 10 10 + 0 - 0 ! 2 files changed, 11 insertions(+), 1 deletion(-)	[patch] prevent slow regex when parsing host authorization header The old regex could take too long when parsing an authorization header, and this could potentially cause a DoS vulnerability [CVE-2021-22904]
CVE 2021 22885.patch \| (download)	actionpack/lib/action_dispatch/routing/polymorphic_routes.rb \| 12 8 + 4 - 0 ! actionpack/test/controller/redirect_test.rb \| 45 45 + 0 - 0 ! actionview/test/activerecord/polymorphic_routes_test.rb \| 22 16 + 6 - 0 ! 3 files changed, 69 insertions(+), 10 deletions(-)	[patch] prevent string polymorphic route arguments url_for supports building polymorphic URLs via an array of arguments (usually symbols and records). If an array is passed, strings can result in unwanted route helper calls. CVE-2021-22885
CVE 2021 22880.patch \| (download)	activerecord/lib/active_record/connection_adapters/postgresql/oid/money.rb \| 4 2 + 2 - 0 ! activerecord/test/cases/adapters/postgresql/money_test.rb \| 12 12 + 0 - 0 ! 2 files changed, 14 insertions(+), 2 deletions(-)	[patch] make currency symbols optional for money column type in PostgreSQL

1