Ubuntu
rails package

lp:ubuntu/maverick-security/rails

  1. Maverick (10.10)
  2. maverick-security
Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp:ubuntu/maverick-security/rails
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

12. By Felix Geyer

* SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
  the mail_to helper
  - Add 0001-Be-sure-to-javascript_escape-the-email-address-to-pr.patch
    from Debian and fix Debian bug #629067 by replacing .html_safe with
    html_escape()
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
  - CVE-2011-0446
  - LP: #870846
* SECURITY UPDATE: rails does not properly validate HTTP requests that
  contain an X-Requested-With header
  - Add 0002-Change-the-CSRF-whitelisting-to-only-apply-to-get-re.patch
    from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
  - CVE-2011-0447
* SECURITY UPDATE: multiple SQL injection vulnerabilities in the
  quote_table_name method in the ActiveRecord adapters
  - Add CVE-2011-2930.patch from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
  - CVE-2011-2930
* SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
  strip_tags helper
  - Add CVE-2011-2931.patch from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
  - CVE-2011-2931
* SECURITY UPDATE: cross-site scripting vulnerability which allows remote
  attackers to inject arbitrary web script or HTML via a malformed Unicode string
  - Add CVE-2011-2932.patch, backported from upstream
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
  - CVE-2011-2932
* SECURITY UPDATE: response splitting vulnerability
  - Add CVE-2011-3186.patch from Debian
  - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
  - CVE-2011-3186

11. By Gunnar Wolf

* Non-maintainer upload.
* Added missing build-dependencies for rails-ruby1.8 on libactionpack-
  ruby1.8, libactionmailer-ruby1.8 and libactiveresource-ruby1.8
  (Closes: #587048)
* Fixed broken symlink to railties on new project generator (Closes:
  #583219)

10. By Adam Majer

* New upstream release (closes: #547658)
* Package is now split up and non-core rails components, like AR, are on
  the ruby load path. (closes: #469524, #517328)
* debian/control
  + Depend on rubygems.
  + Suggest thin or thin1.8 as a possible server to run your production
    environment on. This is particularly useful if it is already being
    proxied.
  + xml-simple is no longer used by rails
  + Updated Standard to 3.8.4

9. By Adam Majer

* Make sure strip_tags removes tags which start with a non-printable
  character. (closes: #558685) [CVE-2009-4214]
* Merge in a few additional encoding changes.

8. By Adam Majer

* New upstream release (closes: #545063)
  + Fixes XSS security hole [CVE-2009-3009]
  + Fixes timing issue with cookie store [CVE-2009-3086]
* Remove dependency on ruby-dbi, as it is not required by any of the
  sources.
* Correct dependency on fixed libxml-simple-ruby to 1.0.11-2 or later
  (closes: #538982)
* debian/control
  + Change section from web to ruby
  + Updated to debhelper 7.0+
  + Standards updated to 3.8.3 - no changes

7. By Tiago Bortoletto Vaz <email address hidden>

* Non-maintainer upload.
* Build-depends on rubygems. (Closes: #522009)

6. By Adam Majer

* New upstream release (closes: #510580, 510580)
   + fixes the problem with migration with symbolic field types
     (closes: #511860)
* debian/control:
   + Depend on Rake 0.8.3 or later
   + Build-Depends-Indep on libmocha-ruby for unit tests
   + Move most of the build dependencies to Build-Depends-Indep
   + Remove the predepends as Lenny is released
* Load XMLSimple without specifying a path (closes: #514582)
* Add an explanation how to configure non-packaged rails adds to work
  with Debian version of rails. Also include a tiny script to help in
  this effort. Tomas Pospisek provided the patch. (closes: #499187)

5. By Adam Majer

Some browsers may submit 'text/plain' content type as part of POST
request. ActionController passed these requests through, sidestepping
the CSRF protection given by protect_from_forgery. Patch from
upstream removes 'text/plain' encoding from the "ignore list".

4. By Adam Majer

Sanitize the URLs passed to redirect_to to prevent a potential
response splitting attack. Patch from upstream.

3. By Adam Majer

Remove the 12_options patch which actually breaks select.
(closes: #406658)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/oneiric/rails
This branch contains Public information 
Everyone can see this information.

Subscribers