Branches for Natty

Author: Dave Walker
Revision Date: 2011-03-16 01:03:12 UTC

debian/patches/cdata-and-white-space-handling.patch: Handle CDATA and
improve white space handling, fixing a Segmentation Fault in some
circumstances. Patch based on subset of upstream commit range.
(LP: #670571)

Author: Felix Geyer
Revision Date: 2011-10-12 20:05:02 UTC

* SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
  the mail_to helper
  - Add 0001-Be-sure-to-javascript_escape-the-email-address-to-pr.patch
    from Debian and fix Debian bug #629067 by replacing .html_safe with
    html_escape()
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
  - CVE-2011-0446
  - LP: #870846
* SECURITY UPDATE: rails does not properly validate HTTP requests that
  contain an X-Requested-With header
  - Add 0002-Change-the-CSRF-whitelisting-to-only-apply-to-get-re.patch
    from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
  - CVE-2011-0447
* SECURITY UPDATE: multiple SQL injection vulnerabilities in the
  quote_table_name method in the ActiveRecord adapters
  - Add CVE-2011-2930.patch from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
  - CVE-2011-2930
* SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
  strip_tags helper
  - Add CVE-2011-2931.patch from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
  - CVE-2011-2931
* SECURITY UPDATE: cross-site scripting vulnerability which allows remote
  attackers to inject arbitrary web script or HTML via a malformed Unicode string
  - Add CVE-2011-2932.patch, backported from upstream
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
  - CVE-2011-2932
* SECURITY UPDATE: response splitting vulnerability
  - Add CVE-2011-3186.patch from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
  - CVE-2011-3186

Author: Felix Geyer
Revision Date: 2011-10-12 20:05:02 UTC

* SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
  the mail_to helper
  - Add 0001-Be-sure-to-javascript_escape-the-email-address-to-pr.patch
    from Debian and fix Debian bug #629067 by replacing .html_safe with
    html_escape()
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
  - CVE-2011-0446
  - LP: #870846
* SECURITY UPDATE: rails does not properly validate HTTP requests that
  contain an X-Requested-With header
  - Add 0002-Change-the-CSRF-whitelisting-to-only-apply-to-get-re.patch
    from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
  - CVE-2011-0447
* SECURITY UPDATE: multiple SQL injection vulnerabilities in the
  quote_table_name method in the ActiveRecord adapters
  - Add CVE-2011-2930.patch from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
  - CVE-2011-2930
* SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
  strip_tags helper
  - Add CVE-2011-2931.patch from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
  - CVE-2011-2931
* SECURITY UPDATE: cross-site scripting vulnerability which allows remote
  attackers to inject arbitrary web script or HTML via a malformed Unicode string
  - Add CVE-2011-2932.patch, backported from upstream
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
  - CVE-2011-2932
* SECURITY UPDATE: response splitting vulnerability
  - Add CVE-2011-3186.patch from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
  - CVE-2011-3186

Author: Dave Walker
Revision Date: 2011-03-16 02:02:48 UTC

debian/patches/cdata-and-white-space-handling.patch: Handle CDATA and
improve white space handling, fixing a Segmentation Fault in some
circumstances. Patch based on subset of upstream commit range.
(LP: #670571)