lp:ubuntu/maverick-security/rails
- Get this branch:
- bzr branch lp:ubuntu/maverick-security/rails
Branch merges
Branch information
Recent revisions
- 12. By Felix Geyer
-
* SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
the mail_to helper
- Add 0001-Be-sure-to- javascript_ escape- the-email- address- to-pr.patch
from Debian and fix Debian bug #629067 by replacing .html_safe with
html_escape()
- https://groups. google. com/group/ rubyonrails- security/ browse_ thread/ thread/ f02a48ede8315f8 1
- CVE-2011-0446
- LP: #870846
* SECURITY UPDATE: rails does not properly validate HTTP requests that
contain an X-Requested-With header
- Add 0002-Change-the-CSRF- whitelisting- to-only- apply-to- get-re. patch
from Debian
- https://groups. google. com/group/ rubyonrails- security/ browse_ thread/ thread/ 2d95a3cc23e0366 5
- CVE-2011-0447
* SECURITY UPDATE: multiple SQL injection vulnerabilities in the
quote_table_name method in the ActiveRecord adapters
- Add CVE-2011-2930.patch from Debian
- https://groups. google. com/group/ rubyonrails- security/ browse_ thread/ thread/ 6a1e473744bc389 b
- CVE-2011-2930
* SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
strip_tags helper
- Add CVE-2011-2931.patch from Debian
- https://groups. google. com/group/ rubyonrails- security/ browse_ thread/ thread/ 2b9130749b74ea1 2
- CVE-2011-2931
* SECURITY UPDATE: cross-site scripting vulnerability which allows remote
attackers to inject arbitrary web script or HTML via a malformed Unicode string
- Add CVE-2011-2932.patch, backported from upstream
- https://groups. google. com/group/ rubyonrails- security/ browse_ thread/ thread/ 56bffb5923ab119 5
- CVE-2011-2932
* SECURITY UPDATE: response splitting vulnerability
- Add CVE-2011-3186.patch from Debian
- https://groups. google. com/group/ rubyonrails- security/ browse_ thread/ thread/ 6ffc93bde029876 8
- CVE-2011-3186 - 11. By Gunnar Wolf
-
* Non-maintainer upload.
* Added missing build-dependencies for rails-ruby1.8 on libactionpack-
ruby1.8, libactionmailer-ruby1. 8 and libactiveresour ce-ruby1. 8
(Closes: #587048)
* Fixed broken symlink to railties on new project generator (Closes:
#583219) - 10. By Adam Majer
-
* New upstream release (closes: #547658)
* Package is now split up and non-core rails components, like AR, are on
the ruby load path. (closes: #469524, #517328)
* debian/control
+ Depend on rubygems.
+ Suggest thin or thin1.8 as a possible server to run your production
environment on. This is particularly useful if it is already being
proxied.
+ xml-simple is no longer used by rails
+ Updated Standard to 3.8.4 - 9. By Adam Majer
-
* Make sure strip_tags removes tags which start with a non-printable
character. (closes: #558685) [CVE-2009-4214]
* Merge in a few additional encoding changes. - 8. By Adam Majer
-
* New upstream release (closes: #545063)
+ Fixes XSS security hole [CVE-2009-3009]
+ Fixes timing issue with cookie store [CVE-2009-3086]
* Remove dependency on ruby-dbi, as it is not required by any of the
sources.
* Correct dependency on fixed libxml-simple-ruby to 1.0.11-2 or later
(closes: #538982)
* debian/control
+ Change section from web to ruby
+ Updated to debhelper 7.0+
+ Standards updated to 3.8.3 - no changes - 7. By Tiago Bortoletto Vaz <email address hidden>
-
* Non-maintainer upload.
* Build-depends on rubygems. (Closes: #522009) - 6. By Adam Majer
-
* New upstream release (closes: #510580, 510580)
+ fixes the problem with migration with symbolic field types
(closes: #511860)
* debian/control:
+ Depend on Rake 0.8.3 or later
+ Build-Depends-Indep on libmocha-ruby for unit tests
+ Move most of the build dependencies to Build-Depends-Indep
+ Remove the predepends as Lenny is released
* Load XMLSimple without specifying a path (closes: #514582)
* Add an explanation how to configure non-packaged rails adds to work
with Debian version of rails. Also include a tiny script to help in
this effort. Tomas Pospisek provided the patch. (closes: #499187) - 5. By Adam Majer
-
Some browsers may submit 'text/plain' content type as part of POST
request. ActionController passed these requests through, sidestepping
the CSRF protection given by protect_from_forgery. Patch from
upstream removes 'text/plain' encoding from the "ignore list". - 4. By Adam Majer
-
Sanitize the URLs passed to redirect_to to prevent a potential
response splitting attack. Patch from upstream.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/oneiric/rails