SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for ruby2.7-rubygem-actionpack-6.0-6.0.4.8-23.1.x86_64.rpm :

* Thu Apr 28 2022 Stephan Kulow updated to version 6.0.4.8 see installed CHANGELOG.md [#]# Rails 6.0.4.8 (April 26, 2022) ##
* Allow Content Security Policy DSL to generate for API responses.
* Tim Wade
* [#]# Rails 6.0.4.7 (March 08, 2022) ##
* No changes.
* Mon Feb 21 2022 Stephan Kulow updated to version 6.0.4.6 see installed CHANGELOG.md [#]# Rails 6.0.4.6 (February 11, 2022) ##
* No changes. [#]# Rails 6.0.4.5 (February 11, 2022) ##
* Under certain circumstances, the middleware isn\'t informed that the response body has been fully closed which result in request state not being fully reset before the next request [CVE-2022-23633]
* Tue Jan 25 2022 Stephan Kulow updated to version 6.0.4.4 see installed CHANGELOG.md [#]# Rails 6.0.4.4 (December 15, 2021) ##
* Fix issue with host protection not allowing host with port in development. [#]# Rails 6.0.4.3 (December 14, 2021) ##
* Fix issue with host protection not allowing localhost in development. [#]# Rails 6.0.4.2 (December 14, 2021) ##
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528] [#]# Rails 6.1.4.1 (August 19, 2021) ##
* [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware. Specially crafted \"X-Forwarded-Host\" headers in combination with certain \"allowed host\" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
* Thu Jun 24 2021 Stephan Kulow updated to version 6.0.4 see installed CHANGELOG.md [#]# Rails 6.0.4 (June 15, 2021) ##
* Accept base64_urlsafe CSRF tokens to make forward compatible. Base64 strict-encoded CSRF tokens are not inherently websafe, which makes them difficult to deal with. For example, the common practice of sending the CSRF token to a browser in a client-readable cookie does not work properly out of the box: the value has to be url-encoded and decoded to survive transport. In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens for backwards compatibility. In Rails 5.2.5, the CSRF token format is accidentally changed to urlsafe-encoded. If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens = true`. ```ruby Rails.application.config.action_controller.urlsafe_csrf_tokens = true ```
* Scott Blum
*,
*Étienne Barrié
*
* Signed and encrypted cookies can now store `false` as their value when `action_dispatch.use_cookies_with_metadata` is enabled.
* Rolandas Barysas
* [#]# Rails 6.0.3.7 (May 05, 2021) ##
* Prevent catastrophic backtracking during mime parsing CVE-2021-22902
* Prevent regex DoS in HTTP token authentication CVE-2021-22904
* Prevent string polymorphic route arguments. `url_for` supports building polymorphic URLs via an array of arguments (usually symbols and records). If a developer passes a user input array, strings can result in unwanted route helper calls. CVE-2021-22885
* Gannon McGibbon
* [#]# Rails 6.0.3.6 (March 26, 2021) ##
* No changes. [#]# Rails 6.0.3.5 (February 10, 2021) ##
* Prevent open redirect when allowed host starts with a dot [CVE-2021-22881] Thanks to AATTtktech (https://hackerone.com/tktech) for reporting this issue and the patch!
* Aaron Patterson
*
* Fri Oct 16 2020 Marcus Rueckert - update to version 6.0.3.4: CVE-2020-8264 (boo#1177521) https://weblog.rubyonrails.org/2020/10/7/Rails-6-0-3-4-has-been-released/
* Sat Sep 12 2020 Manuel Schnitzer - updated to version 6.0.3.3
* no changes
* Thu Jun 25 2020 Manuel Schnitzer - updated to version 6.0.3.2
* CVE-2020-8185: Only allow ActionableErrors if show_detailed_exceptions is enabled
* Wed May 27 2020 Manuel Schnitzer - updated to version 6.0.3.1
* CVE-2020-8166: HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
* CVE-2020-8164: Return self when calling #each, #each_pair, and [#]each_value instead of the raw AATTparameters hash
* Thu May 07 2020 Stephan Kulow - updated to version 6.0.3 see installed CHANGELOG.md [#]# Rails 6.0.3 (May 06, 2020) ##
* Include child session assertion count in ActionDispatch::IntegrationTest `IntegrationTest#open_session` uses `dup` to create the new session, which meant it had its own copy of `AATTassertions`. This prevented the assertions from being correctly counted and reported. Child sessions now have their `attr_accessor` overriden to delegate to the root session. Fixes #32142
* Sam Bostock
* [#]# Rails 6.0.2.2 (March 19, 2020) ##
* No changes.
* Mon Apr 27 2020 Manuel Schnitzer - Updated to version 6.0.2.2
* no changes
* Fri Dec 20 2019 Manuel Schnitzer - updated to version 6.0.2.1
* Fix possible information leak / session hijacking vulnerability. The ActionDispatch::Session::MemcacheStore is still vulnerable given it requires the gem dalli to be updated as well. (CVE-2019-16782)
* Sat Dec 14 2019 Manuel Schnitzer - updated to version 6.0.2
* Allow using mountable engine route helpers in System Tests.
* Chalo Fernandez
*
* Tue Nov 12 2019 Manuel Schnitzer - updated to version 6.0.1
* `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase` rather than `ActionDispatch::IntegrationTest`. This permits running jobs in system tests.
* George Claghorn
*,
*Edouard Chin
*
* Registered MIME types may contain extra flags: ```ruby Mime::Type.register \"text/html; fragment\", :html_fragment ```
* Aaron Patterson
*
* Sat Aug 17 2019 Manuel Schnitzer - updated to version 6.0.0
* no upstream changes - just a version bump
* Mon Jul 22 2019 Manuel Schnitzer - updated to version 6.0.0.rc2
* Add the ability to set the CSP nonce only to the specified directives. Fixes #35137.
* Yuji Yaginuma
*
* Keep part when scope option has value. When a route was defined within an optional scope, if that route didn\'t take parameters the scope was lost when using path helpers. This commit ensures scope is kept both when the route takes parameters or when it doesn\'t. Fixes #33219
* Alberto Almagro
*
* Change `ActionDispatch::Response#content_type` to return Content-Type header as it is. Previously, `ActionDispatch::Response#content_type` returned value does NOT contain charset part. This behavior changed to returned Content-Type header containing charset part as it is. If you want just MIME type, please use `ActionDispatch::Response#media_type` instead. Enable `action_dispatch.return_only_media_type_on_content_type` to use this change. If not enabled, `ActionDispatch::Response#content_type` returns the same value as before version, but its behavior is deprecate.
* Yuji Yaginuma
*
* Calling `ActionController::Parameters#transform_keys/!` without a block now returns an enumerator for the parameters instead of the underlying hash.
* Eugene Kenny
*
* Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
* Yuki Nishijima
*,
*Stan Lo
*
* Sun Jun 30 2019 Manuel Schnitzer - disable \'disable_docs\' option temporarily until we get an updated gem2rpm and ruby-common package in our devel project.
* Sat May 04 2019 Marcus Rueckert - update to version 6.0.0.rc1: https://weblog.rubyonrails.org/2019/4/27/this-week-in-rails-rails-6-0-0-rc1-is-here-say-hi-at-railsconf/
* Thu Mar 14 2019 Marcus Rueckert - update to version 6.0.0.beta3: https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/ CVE-2019-5418 CVE-2019-5419 CVE-2019-5420
* Sat Jan 19 2019 Marcus Rueckert - rb_build_ruby_abi needs to be rb_build_ruby_abis
* Sat Jan 19 2019 Marcus Rueckert - initial package
  
ICM