Log message:
www/ruby-rails60: update to  6.0.4.6

This update contains security fix for CVE-2022-23633 in ruby-actionpack60.

Active Support 6.0.4.6 (2022-02-11)

* Fix Reloader method signature to work with the new Executor signature.

Action Pack 6.0.4.6

6.0.4.5 (2022-02-11)

* Under certain circumstances, the middleware isn't informed that the
  response body has been fully closed which result in request state
  not being fully reset before the next request.

  [CVE-2022-23633]

Other packages have no change.

Log message:
devel/ruby-activesupport60: update to 6.0.4.4

No change except version.

Log message:
archivers: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Could not be committed due to merge conflict:
devel/py-traitlets/distinfo

The following distfiles were unfetchable (note: some may be only fetched
conditionally):

./devel/pvs/distinfo pvs-3.2-solaris.tgz
./devel/eclipse/distinfo eclipse-sourceBuild-srcIncluded-3.0.1.zip

Log message:
devel: Remove SHA1 hashes for distfiles

Log message:
www/ruby-rails60: update to 6.0.4

Ruby on Rails 6.0.4 (2021-06-15), including security fixes.

Active Support

* Fixed issue in ActiveSupport::Cache::RedisCacheStore not passing
  options to read_multi causing fetch_multi to not work properly.
  (Rajesh Sharma)

* with_options copies its options hash again to avoid leaking mutations.
  Fixes #39343.  (Eugene Kenny)

Active Record

* Only warn about negative enums if a positive form that would cause
  conflicts exists.  Fixes #39065.  (Alex Ghiculescu)

* Allow the inverse of a has_one association that was previously
  autosaved to be loaded.  Fixes #34255.  (Steven Weber)

* Reset statement cache for association if table_name is changed.
  Fixes #36453.  (Ryuta Kamizono)

* Type cast extra select for eager loading.  (Ryuta Kamizono)

* Prevent collection associations from being autosaved multiple times.
  Fixes #39173.  (Eugene Kenny)

* Resolve issue with insert_all unique_by option when used with
  expression index.

  When the :unique_by option of ActiveRecord::Persistence.insert_all
  and ActiveRecord::Persistence.upsert_all was used with the name of
  an expression index, an error was raised.  Adding a guard around the
  formatting behavior for the :unique_by corrects this.

  Usage:

	create_table :books, id: :integer, force: true do |t|
	  t.column :name, :string
	  t.index "lower(name)", unique: true
	end

  	Book.insert_all [{ name: "MyTest" }], unique_by: \ 
:index_books_on_lower_name

  Fixes #39516.  (Austen Madden)

* Fix preloading for polymorphic association with custom scope.
  (Ryuta Kamizono)

* Allow relations with different SQL comments in the or method.
  (Takumi Shotoku)

* Resolve conflict between counter cache and optimistic locking.

  Bump an Active Record instance's lock version after updating its
  counter cache.  This avoids raising an unnecessary
  ActiveRecord::StaleObjectError upon subsequent transactions by
  maintaining parity with the corresponding database record's
  lock_version column.  Fixes #16449.  (Aaron Lipman)

* Fix through association with source/through scope which has joins.
  (Ryuta Kamizono)

* Fix through association to respect source scope for includes/preload.
  (Ryuta Kamizono)

* Fix eager load with Arel joins to maintain the original joins order.
  (Ryuta Kamizono)

* Fix group by count with eager loading + order + limit/offset.
  (Ryuta Kamizono)

* Fix left joins order when merging multiple left joins from different
  associations.  (Ryuta Kamizono)

* Fix index creation to preserve index comment in bulk change table on
  MySQL.  (Ryuta Kamizono)

* Change remove_foreign_key to not check :validate option if database
  doesn't support the feature.  (Ryuta Kamizono)

* Fix the result of aggregations to maintain duplicated "group by"
  fields.  (Ryuta Kamizono)

* Do not return duplicated records when using preload.  (Bogdan Gusiev)

Action View

* SanitizeHelper.sanitized_allowed_attributes and
  SanitizeHelper.sanitized_allowed_tags call safe_list_sanitizer's
  class method.  Fixes #39586.  (Taufiq Muhammadi)

Action Pack

* Accept base64_urlsafe CSRF tokens to make forward compatible.

* Base64 strict-encoded CSRF tokens are not inherently websafe, which
  makes them difficult to deal with.  For example, the common practice
  of sending the CSRF token to a browser in a client-readable cookie
  does not work properly out of the box: the value has to be
  url-encoded and decoded to survive transport.

  In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which
  are inherently safe to transport.  Validation accepts both urlsafe
  tokens, and strict-encoded tokens for backwards compatibility.

  In Rails 5.2.5, the CSRF token format is accidentally changed to
  urlsafe-encoded.  If you upgrade apps from 5.2.5, set the config
  urlsafe_csrf_tokens = true.

	Rails.application.config.action_controller.urlsafe_csrf_tokens = true

  (Scott Blum, Étienne Barrié)

* Signed and encrypted cookies can now store false as their value when
  action_dispatch.use_cookies_with_metadata is enabled.  (Rolandas
  Barysas)

Active Storage

* The Poppler PDF previewer renders a preview image using the original
  document's crop box rather than its media box, hiding print
  margins. This matches the behavior of the MuPDF previewer.  (Vincent
  Robert)

Railties

* Allow relative paths with trailing slashes to be passed to rails
  test.  (Eugene Kenny)

* Return a 405 Method Not Allowed response when a request uses an
  unknown HTTP method.  Fixes #38998.  (Loren Norman)

Log message:
www/ruby-rails60: update to 6.0.3.7

Real changes are in www/ruby-actionpack60 only.

## Rails 6.0.3.7 (May 05, 2021) ##

*   Prevent catastrophic backtracking during mime parsing
    CVE-2021-22902

*   Prevent regex DoS in HTTP token authentication
    CVE-2021-22904

*   Prevent string polymorphic route arguments.

    `url_for` supports building polymorphic URLs via an array
    of arguments (usually symbols and records). If a developer passes a
    user input array, strings can result in unwanted route helper calls.

    CVE-2021-22885

    *Gannon McGibbon*

Log message:
www/ruby-rails60: update to 6.0.3.6

Real changes are in devel/ruby-activestorage60 only.

## Rails 6.0.3.6 (March 26, 2021) ##

*   Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
    mime types data.

    *George Claghorn*

Log message:
www/ruby-rails60: update to 6.0.3.5

databases/ruby-activerecord60:

## Rails 6.0.3.5 (February 10, 2021) ##

*   Fix possible DoS vector in PostgreSQL money type

    Carefully crafted input can cause a DoS via the regular expressions used
    for validating the money format in the PostgreSQL adapter.  This patch
    fixes the regexp.

    Thanks to @dee-see from Hackerone for this patch!

    [CVE-2021-22880]

    *Aaron Patterson*

www/ruby-actionpack60

## Rails 6.0.3.5 (February 10, 2021) ##

*   Prevent open redirect when allowed host starts with a dot

    [CVE-2021-22881]

    Thanks to @tktech (https://hackerone.com/tktech) for reporting this
    issue and the patch!

    *Aaron Patterson*

Log message:
www/ruby-rails60: update to 6.0.3.4

Update Ruby on Rails 6.0 related packages to 6.0.3.4.
This is security fix for ruby-actionpack60.

## Rails 6.0.3.4 (October 07, 2020) ##

*   [CVE-2020-8264] Prevent XSS in Actionable Exceptions

Log message:
www/ruby-rails60: update to 6.0.3.3

Update Ruby on Rails 60 to 6.0.3.3.

Security fix in ruby-actionview60.

## Rails 6.0.3.3 (September 09, 2020) ##

*   [CVE-2020-8185] Fix potential XSS vulnerability in the `translate`/`t` helper.

    *Jonathan Hefner*