Subject: CVS commit: [pkgsrc-2012Q2] pkgsrc
From: Steven Drake
Date: 2012-08-20 09:54:05
Message id: 20120820075406.17080175DD@cvs.netbsd.org
Log Message:
Pullup ticket #3903 - requested by taca
Ruby on Rails 3.0.17 security update.

Revisions pulled up:
- databases/ruby-activerecord3/distinfo                         1.15
- devel/ruby-activemodel/distinfo                               1.15
- devel/ruby-activesupport3/distinfo                            1.16
- devel/ruby-railties/distinfo                                  1.15
- lang/ruby/rails.mk                                            1.28
- mail/ruby-actionmailer3/distinfo                              1.17
- www/ruby-actionpack3/distinfo                                 1.16
- www/ruby-activeresource3/distinfo                             1.15
- www/ruby-rails3/distinfo                                      1.16

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Aug 12 09:44:22 UTC 2012

   Modified Files:
   	pkgsrc/lang/ruby: rails.mk

   Log Message:
   Start update of Ruby on Rails 3.0.17.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Aug 12 09:44:58 UTC 2012

   Modified Files:
   	pkgsrc/devel/ruby-activesupport3: distinfo

   Log Message:
   Update ruby-activesupport3 to 3.0.17.

   ## Rails 3.0.17 (Aug 9, 2012)

   * No changes.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Aug 12 09:45:45 UTC 2012

   Modified Files:
   	pkgsrc/devel/ruby-activemodel: distinfo

   Log Message:
   Update ruby-activemodel to 3.0.17.

   ## Rails 3.0.17 (Aug 9, 2012)

   * No changes.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Aug 12 09:46:45 UTC 2012

   Modified Files:
   	pkgsrc/www/ruby-actionpack3: distinfo

   Log Message:
   Update ruby-actionpack3 to 3.0.17

   ## Rails 3.0.17 (Aug 9, 2012)

   * There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
     helper doesn't correctly handle malformed html.  As a result an attacker can
     execute arbitrary javascript through the use of specially crafted malformed
     html.

     *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*

   * When a "prompt" value is supplied to the `select_tag` helper, the \ 
"prompt"
     value is not escaped.  If untrusted data is not escaped, and is supplied as
     the prompt value, there is a potential for XSS attacks.
     Vulnerable code will look something like this:
       select_tag("name", options, :prompt => UNTRUSTED_INPUT)

     *Santiago Pastorino*

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Aug 12 09:47:45 UTC 2012

   Modified Files:
   	pkgsrc/databases/ruby-activerecord3: distinfo

   Log Message:
   Update ruby-activerecord3 to 3.0.17.

   ## Rails 3.0.17 (Aug 9, 2012)

   * Fix type_to_sql with text and limit on mysql/mysql2 (GH #7252)

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Aug 12 09:48:26 UTC 2012

   Modified Files:
   	pkgsrc/mail/ruby-actionmailer3: distinfo

   Log Message:
   Update ruby-actionmailer3 to 3.0.17.

   ## Rails 3.0.17 (Aug 9, 2012)

   * No changes.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Aug 12 09:49:01 UTC 2012

   Modified Files:
   	pkgsrc/devel/ruby-railties: distinfo

   Log Message:
   Update ruby-railties to 3.0.17.

   ## Rails 3.0.17 (Aug 9, 2012)

   * No changes.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Aug 12 09:50:41 UTC 2012

   Modified Files:
   	pkgsrc/www/ruby-rails3: distinfo

   Log Message:
   Update ruby-rails3 to 3.0.17.

   This is a meta-like package and no changes.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Wed Aug 15 15:58:23 UTC 2012

   Modified Files:
   	pkgsrc/www/ruby-activeresource3: distinfo

   Log Message:
   Oops, missed from commit for ruby-activeresource3.
Files:
RevisionActionfile
1.13.2.2modifypkgsrc/databases/ruby-activerecord3/distinfo
1.13.2.2modifypkgsrc/devel/ruby-activemodel/distinfo
1.14.2.2modifypkgsrc/devel/ruby-activesupport3/distinfo
1.13.2.2modifypkgsrc/devel/ruby-railties/distinfo
1.24.2.4modifypkgsrc/lang/ruby/rails.mk
1.15.2.2modifypkgsrc/mail/ruby-actionmailer3/distinfo
1.14.2.2modifypkgsrc/www/ruby-actionpack3/distinfo
1.13.2.2modifypkgsrc/www/ruby-activeresource3/distinfo
1.14.2.2modifypkgsrc/www/ruby-rails3/distinfo