Hello community, here is the log from the commit of package rubygem-actionview-4_2 for openSUSE:Factory checked in at 2016-03-07 13:27:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-actionview-4_2 (Old) and /work/SRC/openSUSE:Factory/.rubygem-actionview-4_2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rubygem-actionview-4_2" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-actionview-4_2/rubygem-actionview-4_2.changes 2016-03-01 09:41:50.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-actionview-4_2.new/rubygem-actionview-4_2.changes 2016-03-07 13:27:56.000000000 +0100 @@ -1,0 +2,22 @@ +Tue Mar 1 05:31:26 UTC 2016 - coolo@suse.com + +- updated to version 4.2.5.2 + see installed CHANGELOG.md + + ## Rails 4.2.5.2 (February 26, 2016) ## + + * Do not allow render with unpermitted parameter. + + Fixes CVE-2016-2098. + + *Arthur Neves* + + + ## Rails 4.2.5.1 (January 25, 2015) ## + + * Adds boolean argument outside_app_allowed to `ActionView::Resolver#find_templates` + method. + + *Aaron Patterson* + +------------------------------------------------------------------- Old: ---- actionview-4.2.5.1.gem New: ---- actionview-4.2.5.2.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-actionview-4_2.spec ++++++ --- /var/tmp/diff_new_pack.mH8KYa/_old 2016-03-07 13:27:57.000000000 +0100 +++ /var/tmp/diff_new_pack.mH8KYa/_new 2016-03-07 13:27:57.000000000 +0100 @@ -24,7 +24,7 @@ # Name: rubygem-actionview-4_2 -Version: 4.2.5.1 +Version: 4.2.5.2 Release: 0 %define mod_name actionview %define mod_full_name %{mod_name}-%{version} ++++++ actionview-4.2.5.1.gem -> actionview-4.2.5.2.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2016-01-25 19:25:06.000000000 +0100 +++ new/CHANGELOG.md 2016-02-29 20:16:10.000000000 +0100 @@ -1,3 +1,20 @@ +## Rails 4.2.5.2 (February 26, 2016) ## + +* Do not allow render with unpermitted parameter. + + Fixes CVE-2016-2098. + + *Arthur Neves* + + +## Rails 4.2.5.1 (January 25, 2015) ## + +* Adds boolean argument outside_app_allowed to `ActionView::Resolver#find_templates` + method. + + *Aaron Patterson* + + ## Rails 4.2.5 (November 12, 2015) ## * Fix `mail_to` when called with `nil` as argument. Files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_view/gem_version.rb new/lib/action_view/gem_version.rb --- old/lib/action_view/gem_version.rb 2016-01-25 19:25:06.000000000 +0100 +++ new/lib/action_view/gem_version.rb 2016-02-29 20:16:10.000000000 +0100 @@ -8,7 +8,7 @@ MAJOR = 4 MINOR = 2 TINY = 5 - PRE = "1" + PRE = "2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_view/renderer/renderer.rb new/lib/action_view/renderer/renderer.rb --- old/lib/action_view/renderer/renderer.rb 2016-01-25 19:25:06.000000000 +0100 +++ new/lib/action_view/renderer/renderer.rb 2016-02-29 20:16:10.000000000 +0100 @@ -17,6 +17,10 @@ # Main render entry point shared by AV and AC. def render(context, options) + if options.respond_to?(:permitted?) && !options.permitted? + raise ArgumentError, "render parameters are not permitted" + end + if options.key?(:partial) render_partial(context, options) else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/action_view/template/resolver.rb new/lib/action_view/template/resolver.rb --- old/lib/action_view/template/resolver.rb 2016-01-25 19:25:06.000000000 +0100 +++ new/lib/action_view/template/resolver.rb 2016-02-29 20:16:10.000000000 +0100 @@ -130,8 +130,8 @@ # This is what child classes implement. No defaults are needed # because Resolver guarantees that the arguments are present and # normalized. - def find_templates(name, prefix, partial, details) - raise NotImplementedError, "Subclasses must implement a find_templates(name, prefix, partial, details) method" + def find_templates(name, prefix, partial, details, outside_app_allowed) + raise NotImplementedError, "Subclasses must implement a find_templates(name, prefix, partial, details, outside_app_allowed) method" end # Helpers that builds a path. Useful for building virtual paths. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2016-01-25 19:25:06.000000000 +0100 +++ new/metadata 2016-02-29 20:16:10.000000000 +0100 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: actionview version: !ruby/object:Gem::Version - version: 4.2.5.1 + version: 4.2.5.2 platform: ruby authors: - David Heinemeier Hansson autorequire: bindir: bin cert_chain: [] -date: 2016-01-25 00:00:00.000000000 Z +date: 2016-02-29 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: activesupport @@ -16,14 +16,14 @@ requirements: - - '=' - !ruby/object:Gem::Version - version: 4.2.5.1 + version: 4.2.5.2 type: :runtime prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 4.2.5.1 + version: 4.2.5.2 - !ruby/object:Gem::Dependency name: builder requirement: !ruby/object:Gem::Requirement @@ -98,28 +98,28 @@ requirements: - - '=' - !ruby/object:Gem::Version - version: 4.2.5.1 + version: 4.2.5.2 type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 4.2.5.1 + version: 4.2.5.2 - !ruby/object:Gem::Dependency name: activemodel requirement: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 4.2.5.1 + version: 4.2.5.2 type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - '=' - !ruby/object:Gem::Version - version: 4.2.5.1 + version: 4.2.5.2 description: Simple, battle-tested conventions and helpers for building web pages. email: david@loudthinking.com executables: []