2022-06-07 17:05:23 by Takahiro Kambe | Files touched by this commit (15) | |
Log message:
www/ruby-rails61: update to 6.1.6
Ruby on Rails 6.1.6 (2022-05-12)
Active Support
* Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Add the method ERB::Util.xml_name_escape to escape dangerous characters in
names of tags and names of attributes, following the specification of XML.
Action View
* Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Escape dangerous characters in names of tags and names of attributes in
the tag helpers, following the XML specification. Rename the option
:escape_attributes to :escape, to simplify by applying the option to the
whole tag.
Action Pack
* Allow Content Security Policy DSL to generate for API responses.
|
2022-05-05 05:30:02 by Takahiro Kambe | Files touched by this commit (1) | |
Log message:
www/ruby-actionpack61: update to 6.1.5.1
## Rails 6.1.5.1 (April 26, 2022) ##
* Allow Content Security Policy DSL to generate for API responses.
*Tim Wade*
## Rails 6.1.5 (March 09, 2022) ##
* Fix `content_security_policy` returning invalid directives.
Directives such as `self`, `unsafe-eval` and few others were not
single quoted when the directive was the result of calling a lambda
returning an array.
```ruby
content_security_policy do |policy|
policy.frame_ancestors lambda { [:self, "https://example.com"] }
end
```
With this fix the policy generated from above will now be valid.
*Edouard Chin*
* Update `HostAuthorization` middleware to render debug info only
when `config.consider_all_requests_local` is set to true.
Also, blocked host info is always logged with level `error`.
Fixes #42813.
*Nikita Vyrko*
* Dup arrays that get "converted".
Fixes #43681.
*Aaron Patterson*
* Don't show deprecation warning for equal paths.
*Anton Rieder*
* Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
Fixes #43094.
*Alex Ghiculescu*
* Add fallback host for SystemTestCase driven by RackTest.
Fixes #42780.
*Petrik de Heus*
* Add more detail about what hosts are allowed.
*Alex Ghiculescu*
|
2022-03-27 08:30:00 by Thomas Klausner | Files touched by this commit (24) |
Log message:
ruby*: fix rails version in COMMENT
|
2022-03-13 16:11:52 by Takahiro Kambe | Files touched by this commit (14) | |
Log message:
www/ruby-rails61: update to 6.1.4.7
Ruby on Rails 6.1.4.7 is not latest version but it should be easy to pull-up
to pkgsrc-2021Q4.
Changes are in devel/ruby-activestorage61 only.
## Rails 6.1.4.7 (March 08, 2022) ##
* Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
|
2022-02-13 08:35:06 by Takahiro Kambe | Files touched by this commit (14) | |
Log message:
www/ruby-rails61: update to 6.1.4.6
This update contains security fix for CVE-2022-23633 in ruby-actionpack61.
Active Support 6.1.4.6 (2022-02-11)
* Fix Reloader method signature to work with the new Executor signature.
Action Pack 6.1.4.5 (2022-02-11)
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state
not being fully reset before the next request.
[CVE-2022-23633]
Other packages have no change.
|
2021-12-19 06:26:01 by Takahiro Kambe | Files touched by this commit (1) | |
Log message:
www/ruby-actionpack61: update to 6.1.4.4
## Rails 6.1.4.4 (December 15, 2021) ##
* Fix issue with host protection not allowing host with port in development.
## Rails 6.1.4.3 (December 14, 2021) ##
* Fix issue with host protection not allowing localhost in development.
|
2021-10-26 13:31:15 by Nia Alarie | Files touched by this commit (1030) |
Log message:
www: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts):
www/nghttp2/distinfo
Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz
|
2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033) |
Log message:
www: Remove SHA1 hashes for distfiles
|
2021-07-04 10:01:38 by Takahiro Kambe | Files touched by this commit (1) | |
Log message:
www/ruby-actionpack61: update to 6.1.4
Action Pack
* Ignore file fixtures on db:fixtures:load (Kevin Sjöberg)
* Fix ActionController::Live controller test deadlocks by removing the
body buffer size limit for tests. (Dylan Thacker-Smith)
* Correctly place optional path parameter booleans.
Previously, if you specify a url parameter that is part of the path
as false it would include that part of the path as parameter for
example:
get "(/optional/:optional_id)/things" => "foo#foo", as: \
:things
things_path(optional_id: false) # => /things?optional_id=false
After this change, true and false will be treated the same when used
as optional path parameters. Meaning now:
get '(this/:my_bool)/that' as: :that
that_path(my_bool: true) # => `/this/true/that`
that_path(my_bool: false) # => `/this/false/that`
(Adam Hess)
* Add support for 'private, no-store' Cache-Control headers.
Previously, 'no-store' was exclusive; no other directives could be
specified. (Alex Smith)
|
2021-05-08 16:08:57 by Takahiro Kambe | Files touched by this commit (14) | |
Log message:
www/ruby-rails61: update to 6.1.3.2
Real changes are in www/ruby-actionpack61 only.
## Rails 6.1.3.2 (May 05, 2021) ##
* Prevent open redirects by correctly escaping the host allow list
CVE-2021-22903
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
|