commit rubygem-loofah for openSUSE:Factory
Hello community,
here is the log from the commit of package rubygem-loofah for openSUSE:Factory checked in at 2018-11-10 17:00:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-loofah (Old)
and /work/SRC/openSUSE:Factory/.rubygem-loofah.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-loofah"
Sat Nov 10 17:00:22 2018 rev:9 rq:646832 version:2.2.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-loofah/rubygem-loofah.changes 2018-04-11 14:02:21.466008566 +0200
+++ /work/SRC/openSUSE:Factory/.rubygem-loofah.new/rubygem-loofah.changes 2018-11-10 17:02:17.859539551 +0100
@@ -1,0 +2,21 @@
+Tue Nov 6 07:47:42 UTC 2018 - mschnitzer@suse.com
+
+- updated to version 2.2.3
+
+ ### Security (bsc#1113969, CVE-2018-16468)
+
+ Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
+
+ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154
+
+
+ ## Meta / 2018-10-27
+
+ The mailing list is now on Google Groups [#146](https://github.com/flavorjones/loofah/issues/146):
+
+ * Mail: loofah-talk@googlegroups.com
+ * Archive: https://groups.google.com/forum/#!forum/loofah-talk
+
+ This change was made because librelist no longer appears to be maintained.
+
+-------------------------------------------------------------------
Old:
----
loofah-2.2.2.gem
New:
----
loofah-2.2.3.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-loofah.spec ++++++
--- /var/tmp/diff_new_pack.ixcS6W/_old 2018-11-10 17:02:18.411538877 +0100
+++ /var/tmp/diff_new_pack.ixcS6W/_new 2018-11-10 17:02:18.415538872 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-loofah
-Version: 2.2.2
+Version: 2.2.3
Release: 0
%define mod_name loofah
%define mod_full_name %{mod_name}-%{version}
++++++ loofah-2.2.2.gem -> loofah-2.2.3.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2018-03-22 16:10:40.000000000 +0100
+++ new/CHANGELOG.md 2018-10-30 13:59:09.000000000 +0100
@@ -1,5 +1,24 @@
# Changelog
+## 2.2.3 / 2018-10-30
+
+### Security
+
+Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
+
+This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154
+
+
+## Meta / 2018-10-27
+
+The mailing list is now on Google Groups [#146](https://github.com/flavorjones/loofah/issues/146):
+
+* Mail: loofah-talk@googlegroups.com
+* Archive: https://groups.google.com/forum/#!forum/loofah-talk
+
+This change was made because librelist no longer appears to be maintained.
+
+
## 2.2.2 / 2018-03-22
Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
@@ -10,6 +29,8 @@
## 2.2.1 / 2018-03-19
+### Security
+
Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
@@ -17,7 +38,7 @@
## 2.2.0 / 2018-02-11
-Features:
+### Features:
* Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
* Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
@@ -25,32 +46,32 @@
* Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, @NikoRoberts!)
* Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!)
-Bugfixes:
+### Bugfixes:
* Properly handle nested `script` tags. #127.
## 2.1.1 / 2017-09-24
-Bugfixes:
+### Bugfixes:
* Removed warning for unused variable. #124 (Thanks, @y-yagi!)
## 2.1.0 / 2017-09-24
-Notes:
+### Notes:
* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. #91
-Features:
+### Features:
* Added :noopener HTML scrubber (Thanks, @tastycode!)
* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)
-Bugfixes:
+### Bugfixes:
* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124
* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
@@ -58,14 +79,14 @@
## 2.0.3 / 2015-08-17
-Bug fixes:
+### Bug fixes:
* Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
## 2.0.2 / 2015-05-05
-Bug fixes:
+### Bug fixes:
* Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
* Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
@@ -74,24 +95,24 @@
## 2.0.1 / 2014-08-21
-Bug fixes:
+### Bug fixes:
* Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
-Notes:
+### Notes:
* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
## 2.0.0 / 2014-05-09
-Compatibility notes:
+### Compatibility notes:
* ActionView helpers now must be required explicitly: `require "loofah/helpers"`
* Support for Ruby 1.8.7 and prior has been dropped
-Enhancements:
+### Enhancements:
* HTML5 whitelist allows the following ...
* tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
@@ -101,7 +122,7 @@
* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
* HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
-Bug fixes:
+### Bug fixes:
* HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
@@ -114,7 +135,7 @@
## 1.2.0 (2011-08-08)
-Enhancements:
+### Enhancements:
* Loofah::Helpers.sanitize_css is a replacement for Rails's built-in sanitize_css helper.
* Improving ActionView integration.
@@ -122,7 +143,7 @@
## 1.1.0 (2011-08-08)
-Enhancements:
+### Enhancements:
* Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230).
Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.
@@ -132,7 +153,7 @@
## 1.0.0 (2010-10-26)
-Notes:
+### Notes:
* Moved ActiveRecord functionality into `loofah-activerecord` gem.
* Removed DEPRECATIONS.rdoc documenting 0.3.0 API changes.
@@ -140,7 +161,7 @@
## 0.4.7 (2010-03-09)
-Enhancements:
+### Enhancements:
* New methods Loofah::HTML::Document#to_text and
Loofah::HTML::DocumentFragment#to_text do the right thing with
@@ -153,23 +174,23 @@
## 0.4.4, 0.4.5, 0.4.6 (2010-02-01)
-Enhancements:
+### Enhancements:
* Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities.
-Bug fixes:
+### Bug fixes:
* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
## 0.4.3 (2010-01-29)
-Enhancements:
+### Enhancements:
* All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate
* Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS
-Miscellaneous:
+### Miscellaneous:
* Modified documentation for bootstrapping XssFoliate in a Rails app,
since the use of Bundler breaks the previously-documented method. To
@@ -178,18 +199,18 @@
## 0.4.2 (2010-01-22)
-Enhancements:
+### Enhancements:
* Implemented Node#scrub! for scrubbing subtrees.
* Implemented NodeSet#scrub! for scrubbing a set of subtrees.
* Document.text now only serializes <body> contents (ignores <head>)
* <head>, <html> and <body> added to the HTML5lib whitelist.
-Bug fixes:
+### Bug fixes:
* Supporting Rails apps that aren't loading ActiveRecord. GH #10
-Miscellaneous:
+### Miscellaneous:
* Mailing list is now loofah@librelist.com / http://librelist.com
* IRC channel is now \#loofah on freenode.
@@ -197,14 +218,14 @@
## 0.4.1 (2009-11-23)
-Bugfix:
+### Bugfix:
* Manifest fixed. Whoops.
## 0.4.0 (2009-11-21)
-Enhancements:
+### Enhancements:
* Scrubber class introduced, allowing development of custom scrubbers.
* Added support for XML documents and fragments.
@@ -215,20 +236,20 @@
## 0.3.1 (2009-10-12)
-Bug fixes:
+### Bug fixes:
* Scrubbed Documents properly render html, head and body tags when serialized.
## 0.3.0 (2009-10-06)
-Enhancements:
+### Enhancements:
* New ActiveRecord extension `xss_foliate`, a drop-in replacement for xss_terminate[http://github.com/look/xss_terminate/tree/master].
* Replacement methods for Rails's helpers, Loofah::Rails.sanitize and Loofah::Rails.strip_tags.
* Official support (and test coverage) for Rails versions 2.3, 2.2, 2.1, 2.0 and 1.2.
-Deprecations:
+### Deprecations:
* The methods strip_tags, whitewash, whitewash_document, sanitize, and
sanitize_document have been deprecated. See DEPRECATED.rdoc for
@@ -237,7 +258,7 @@
## 0.2.2 (2009-09-30)
-Enhancements:
+### Enhancements:
* ActiveRecord extension scrubs fields in a before_validation callback
(was previously in a before_save)
@@ -245,12 +266,12 @@
## 0.2.1 (2009-09-19)
-Enhancements:
+### Enhancements:
* when loaded in a Rails app, automatically extend ActiveRecord::Base
with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
-Bugfixes:
+### Bugfixes:
* ActiveRecord scrubbing should generate strings instead of Document or
DocumentFragment objects. GH #5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Manifest.txt new/Manifest.txt
--- old/Manifest.txt 2018-03-22 16:10:40.000000000 +0100
+++ new/Manifest.txt 2018-10-30 13:59:09.000000000 +0100
@@ -24,6 +24,7 @@
lib/loofah/scrubbers.rb
lib/loofah/xml/document.rb
lib/loofah/xml/document_fragment.rb
+test/assets/msword.html
test/assets/testdata_sanitizer_tests1.dat
test/helper.rb
test/html5/test_sanitizer.rb
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/README.md new/README.md
--- old/README.md 2018-03-22 16:10:40.000000000 +0100
+++ new/README.md 2018-10-30 13:59:09.000000000 +0100
@@ -1,8 +1,8 @@
# Loofah
* https://github.com/flavorjones/loofah
-* http://rubydoc.info/github/flavorjones/loofah/master/frames
-* http://librelist.com/browser/loofah
+* Docs: http://rubydoc.info/github/flavorjones/loofah/master/frames
+* Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
## Status
@@ -301,9 +301,10 @@
* https://github.com/flavorjones/loofah/issues
-And the mailing list is on librelist:
+And the mailing list is on Google Groups:
-* loofah@librelist.com / http://librelist.com
+* Mail: loofah-talk@googlegroups.com
+* Archive: https://groups.google.com/forum/#!forum/loofah-talk
And the IRC channel is \#loofah on freenode.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SECURITY.md new/SECURITY.md
--- old/SECURITY.md 2018-03-22 16:10:40.000000000 +0100
+++ new/SECURITY.md 2018-10-30 13:59:09.000000000 +0100
@@ -9,7 +9,7 @@
If you have not received a reply to your submission within 48 hours, there are a few steps you can take:
* Contact the current security coordinator (Mike Dalessio
participants (1)
-
root