Subject: CVS commit: pkgsrc/www/ruby-mechanize
From: Takahiro Kambe
Date: 2012-04-29 18:11:17
Message id: 20120429161117.41670175DD@cvs.netbsd.org

Log Message:
Update ruby-mechanize to 2.4.

=== 2.4

* Security fix:

  Mechanize#auth and Mechanize#basic_auth allowed disclosure of passwords to
  malicious servers and have been removed.

  In prior versions of mechanize only one set of HTTP authentication
  credentials were allowed for all connections.  If a mechanize instance
  connected to more than one server then a malicious server detecting
  mechanize could ask for HTTP Basic authentication.  This would expose the
  username and password intended only for one server.

  Mechanize#auth and Mechanize#basic_auth now warn when used.

  To fix the warning switch to Mechanize#add_auth which requires at the URI
  the credentials are intended for, the username and the password.
  Optionally an HTTP authentication realm or NTLM domain may be provided.

* Minor enhancement
  * Improved exception messages for 401 Unauthorized responses.  Mechanize now
    tells you if you were missing credentials, had an incorrect password, etc.

Files:
RevisionActionfile
1.8modifypkgsrc/www/ruby-mechanize/Makefile
1.8modifypkgsrc/www/ruby-mechanize/PLIST
1.7modifypkgsrc/www/ruby-mechanize/distinfo