SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for ruby2.5-rubygem-loofah-2.0.2-lp150.3.14.1.x86_64.rpm :

* Tue Oct 25 2022 Manuel Schnitzer - Added patch CVE-2019-15587.patch to fix CVE-2019-15587 (bsc#1154751)- Updated CVE-2018-8048.patch to apply again
* Thu Aug 22 2019 Manuel Schnitzer - Update CVE-2018-8048.patch (bsc#1086598) This makes Loofah::HTML5::Scrub.force_correct_attribute_escaping! callable from other gems as well - no need to make it private. In the newest upstream version of loofah, force_correct_attribute_escaping! can already be called by other gems as well (such as rails-html-sanitizer) This fixes an issue with the recent update of rubygem-rails-html-sanitizer which needs to call this method to mitigate CVE-2018-8048 successfully.
* Mon Nov 26 2018 mschnitzerAATTsuse.com- Modify CVE-2018-8048.patch to patch the gemspec file as well. The gemspec file needs to be patched in order to ship the newly added file \'lib/loofah/html5/libxml2_workarounds.rb\' which was introduced with patch CVE-2018-8048.patch
* Tue Nov 06 2018 mschnitzerAATTsuse.com- Security Vulnerability Fix: libxml2 >= 2.9.2 fails to escape comments within some attributes. It wants to ensure these comments can be treated as \"server-side includes\", but as a result fails to ensure that serialization is well-formed, resulting in an opportunity for XSS injection of code into a final re-parsed document (presumably in a browser). See #144 for more details and history around this libxml2 issue, which goes back a few years. At this point it\'s not clear to your humble maintainer why this hasn\'t been addressed upstream by libxml2 maintainers, and so I\'m working around it in Loofah to protect Loofah users, while simultaneously attempting to escalate the issue upstream.
* Added CVE-2018-8048.patch to address this security issue (bsc#1085967, CVE-2018-8048)
* Tue Nov 06 2018 mschnitzerAATTsuse.com- Security Vulnerability Fix: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
* Added CVE-2018-16468.patch to address this security issue (bsc#1113969, CVE-2018-16468)- Added series file for a better patch handling with quilt
* Wed May 06 2015 cooloAATTsuse.com- updated to version 2.0.2 see installed CHANGELOG.rdoc == 2.0.2 / 2015-05-05 Bug fixes:
* Fix error with `#to_text` when Loofah::Helpers hadn\'t been required. #75
* Allow multi-word data attributes. #84 (Thanks, AATTjstorimer!)
* Allow negative values in CSS properties. #85 (Thanks, AATTsiddhartham!)
* Wed Nov 12 2014 cooloAATTsuse.com- updated to version 2.0.1 Bug fixes:
* Load RR correctly when running test files directly. (Thanks, AATTktdreyer!) Notes:
* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, AATTkaspth!)
* Mon Oct 13 2014 cooloAATTsuse.com- adapt to new rubygem packaging
* Sun May 18 2014 cooloAATTsuse.com- updated to version 2.0.0 Compatibility notes:
* ActionView helpers now must be required explicitly: `require \"loofah/helpers\"`
* Support for Ruby 1.8.7 and prior has been dropped Enhancements:
* HTML5 whitelist allows the following ...
* tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
* attributes: `data-
*` (Thanks, Rafael Franca!)
* URI attributes: `poster` and `preload`
* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
* HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!) Bug fixes:
* HTML5 sanitizers\' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
* Mon Jul 30 2012 cooloAATTsuse.com- update to 1.2.1
* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32)
  
ICM