rails (2:5.2.2.1+dfsg-1+deb10u5) buster-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. * Regression on last upload. Disable patch for CVE-2022-32224 -- Abhijith PA Tue, 13 Sep 2022 13:57:41 +0000 rails (2:5.2.2.1+dfsg-1+deb10u4) buster-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2022-21831, CVE-2022-22577, CVE-2022-23633, CVE-2022-27777, CVE-2022-32224 -- Abhijith PA Sat, 03 Sep 2022 14:58:08 +0530 rails (2:5.2.2.1+dfsg-1+deb10u3) buster-security; urgency=high * Add patch to prevent string polymorphic route arguments. (Fixes: CVE-2021-22885) (Closes: #988214) * Add patch to prevent slow regex when parsing host auth header. (Fixes: CVE-2021-22904) (Closes: #988214) * Add patch to fix possible DoS vector in PostgreSQL money type. (Fixes: CVE-2021-22880) -- Utkarsh Gupta Sun, 06 Jun 2021 18:26:33 +0530 rails (2:5.2.2.1+dfsg-1+deb10u2) buster-security; urgency=medium * CVE-2020-8162 CVE-2020-8164 CVE-2020-8165 CVE-2020-8166 CVE-2020-8167 CVE-2020-15169 -- Moritz Mühlenhoff Wed, 23 Sep 2020 19:19:24 +0200 rails (2:5.2.2.1+dfsg-1+deb10u1) buster; urgency=high * Team upload. * Add patch to fix possible XSS vector in JS escape helper. (Fixes: CVE-2020-5267) (Closes: #954304) -- Utkarsh Gupta Sun, 22 Mar 2020 18:47:31 +0530 rails (2:5.2.2.1+dfsg-1) unstable; urgency=medium * Team upload * New upstream version 5.2.2.1+dfsg (Closes: #924520, #924521) (Fixes: CVE-2019-5418 CVE-2019-5419, CVE-2019-5420) * Drop unused override * Remove duplicate Depends entry for rake * Add d/upstream/metadata -- Utkarsh Gupta Sun, 17 Mar 2019 17:44:07 +0530 rails (2:5.2.2+dfsg-6) unstable; urgency=medium [ Antonio Terceiro ] * debian/tests/control: remove explicit call to gem2deb-test-runner, as it will be added automatically by autodep8. [ Pirate Praveen ] * Move all Recommends from ruby-rails to rails as Depends (Closes: #923507) * Drop obsolete Breaks + Replaces rails3 * Drop needs-recommends restriction in newapp autopkgtest * Add debian/node_modules path in activestorage/rollup.config.js for spark-md5 -- Pirate Praveen Fri, 01 Mar 2019 19:50:07 +0530 rails (2:5.2.2+dfsg-5) unstable; urgency=medium * Recommend ruby-chromedriver-helper in ruby-rails -- Pirate Praveen Fri, 08 Feb 2019 16:22:07 +0530 rails (2:5.2.2+dfsg-4) unstable; urgency=medium * Allow ruby-sprockets-rails >= 3 * Bump Standards-Version to 4.3.0 (no changes needed) -- Pirate Praveen Thu, 07 Feb 2019 11:12:48 +0530 rails (2:5.2.2+dfsg-3) unstable; urgency=medium * Build action_cable.js using blade build system for ruby-actioncable -- Pirate Praveen Wed, 06 Feb 2019 18:01:34 +0530 rails (2:5.2.2+dfsg-2) unstable; urgency=medium * Use --gem-install option to dh_ruby as many components now has javascript files targeted for asset pipeline. * Fix typo in rules to correctly override dh_auto_build (Closes: #897641) * Switch to rollup for building activestorage.js, like upstream * Build rails-ujs as part of ruby-actionview with blade build system -- Pirate Praveen Wed, 30 Jan 2019 14:47:39 +0530 rails (2:5.2.2+dfsg-1) unstable; urgency=medium * New upstream version 5.2.2 (Closes: #914847, #914848) (Fixes: CVE-2018-16476, CVE-2018-16477) * Delete 0002-edit-activestorage-webpack-config-js.patch * Add 0002-disable-uglify-in-activestorage-rollup-config-js.patch -- Sruthi Chandran Mon, 07 Jan 2019 00:23:02 +0530 rails (2:5.2.0+dfsg-2) unstable; urgency=medium * Re-upload to unstable -- Sruthi Chandran Thu, 03 Jan 2019 13:14:54 +0530 rails (2:5.2.0+dfsg-1) experimental; urgency=medium * New upstream release * Add myself to uploaders * Embed spark-md5 * Remove activestorage.js and syntaxhighlighter.js for dfsg * Use webpack to build activestorage.js * Bump Standards-Version to 4.2.0 (no changes needed) * Update lintian overrides * Use salsa.debian.org in Vcs-* fields * Add nocheck build profile * Remove shCore.js from missing-sources -- Sruthi Chandran Fri, 03 Aug 2018 20:37:48 +0530 rails (2:4.2.10-1) unstable; urgency=medium * New upstream version 4.2.10 * Bump debhelper compat to 11 and standards version to 4.1.3 -- Pirate Praveen Sun, 18 Mar 2018 17:20:16 +0530 rails (2:4.2.9-4) unstable; urgency=medium * Team upload. * Patch gem specs to really relax rack-test dependency. -- Marc Dequènes (Duck) Thu, 07 Sep 2017 19:46:41 +0900 rails (2:4.2.9-3) unstable; urgency=medium * Relax dependency on ruby-rack-test * Add myself to uploaders -- Pirate Praveen Wed, 06 Sep 2017 12:14:19 +0530 rails (2:4.2.9-2) unstable; urgency=medium * Team upload * Reupload to unstable -- Pirate Praveen Wed, 23 Aug 2017 18:39:08 +0530 rails (2:4.2.9-1) experimental; urgency=medium * Team upload * New upstream release -- Pirate Praveen Sun, 30 Jul 2017 22:14:24 +0530 rails (2:4.2.7.1-1) unstable; urgency=medium * New upstream release; includes fixes for the following issues: - CVE-2016-6317: unsafe query generation in Active Record (Closes: #834154) - CVE-2016-6316: Possible XSS Vulnerability in Action View (Closes: #834155) * debian/watch: restrict to the 4.x series for now -- Antonio Terceiro Mon, 22 Aug 2016 14:33:48 -0300 rails (2:4.2.6-2) unstable; urgency=medium * Team upload * ruby-rails: Add ruby-coffee-rails to recommends (Closes: #818470) * Relax ruby-json (drop << 2.0 requirement) -- Pirate Praveen Fri, 22 Jul 2016 23:37:44 +0530 rails (2:4.2.6-1) unstable; urgency=medium [ Antonio Terceiro ] * New upstream release * debian/clean: list files that are created when the tests run * Drop 0003-Make-AR-SpawnMethods-merge-to-check-an-arg-is-a-Proc.patch, applied upstream [ Praveen Arimbrathodiyil ] * Set minimum version of ruby-sprockets-rails (for sprockets version incompatibility with ruby-sass-rails) -- Antonio Terceiro Sat, 09 Apr 2016 19:39:46 -0300 rails (2:4.2.5.2-2) unstable; urgency=medium [ Cédric Boutillier ] * Remove version in the gem2deb build-dependency * Use https:// in Vcs-* fields * Bump Standards-Version to 3.9.7 (no changes needed) * Run wrap-and-sort on packaging files [ Antonio Terceiro ] * 0002-load_paths.rb-don-t-load-bundler.patch: don't load bundler when running tests * Run tests during build - add all runtime dependencies as build dependencies as well * Run unit tests also under autopkgtest * Add 0003-Make-AR-SpawnMethods-merge-to-check-an-arg-is-a-Proc.patch to fix ActiveRecord relations with Ruby 2.3 * 0004-ActiveRecord-skip-a-few-tests-that-are-broken-on-Deb.patch skip some tests that are broken on Debian. -- Antonio Terceiro Fri, 04 Mar 2016 14:49:00 -0300 rails (2:4.2.5.2-1) unstable; urgency=high * New upstream release * Fixes 2 security issues: - [CVE-2016-2098] Possible remote code execution vulnerability in Action Pack - [CVE-2016-2097] Possible Information Leak Vulnerability in Action View. -- Antonio Terceiro Wed, 02 Mar 2016 11:50:02 -0300 rails (2:4.2.5.1-2) unstable; urgency=medium * ruby-rails: change dependency from bundler to ruby-bundler, which will not pull a development toolchain in Recommends:. * Switch Vcs-* to https URLs -- Antonio Terceiro Sun, 21 Feb 2016 13:58:35 -0300 rails (2:4.2.5.1-1) unstable; urgency=high * New upstream release. Includes fixes for the following several security issues: - [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller. - [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack - [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record. - [CVE-2016-0752] Possible Information Leak Vulnerability in Action View - [CVE-2016-0753] Possible Input Validation Circumvention in Active Model - [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack -- Antonio Terceiro Thu, 28 Jan 2016 10:56:35 -0200 rails (2:4.2.5-1) unstable; urgency=medium * New upstream release * Skip dependency resolution check during the build, because too many of the dependencies of the binary packages depend on rails to build, so let's avoid loops. The checks are still performed as part of autopkgtest tests, anyway. -- Antonio Terceiro Mon, 14 Dec 2015 11:04:15 -0200 rails (2:4.2.4-2) unstable; urgency=medium * Upload to unstable -- Antonio Terceiro Sat, 12 Dec 2015 16:24:01 -0200 rails (2:4.2.4-1) experimental; urgency=medium * Team upload * New upstream patch release * Set minimum version for ruby-coffee-rails to 4.1.0 -- Pirate Praveen Tue, 15 Sep 2015 18:25:16 +0530 rails (2:4.2.3-4) experimental; urgency=medium * Team upload * ruby-activesupport: requires ruby-thread-safe >= 0.3.4, ruby-i18n >= 0.7 * ruby-actionview: requires ruby-html-sanitizer and ruby-dom-testing * Check dependencies mentioned in gemspec -- Pirate Praveen Thu, 20 Aug 2015 11:50:37 +0530 rails (2:4.2.3-3) experimental; urgency=medium * ruby-actionmailer: Depends: ruby-activejob * ruby-rails: requires ruby-turbolinks >= 2.5.3 * debian/copyright: remove mention of files removed upstream -- Antonio Terceiro Fri, 14 Aug 2015 10:54:45 -0300 rails (2:4.2.3-2) experimental; urgency=medium * Team upload. * Update dependency of ruby-arel for ruby-activerecord. * Update dependency of ruby-rack for ruby-actionpack. * Add new binary package: ruby-activejob. * Add ruby-byebug and ruby-web-console to recommends for ruby-rails. -- Pirate Praveen Fri, 07 Aug 2015 01:38:10 +0530 rails (2:4.2.3-1) experimental; urgency=medium * Team upload. * New upstream release; minor update. -- Pirate Praveen Tue, 28 Jul 2015 11:21:45 +0530 rails (2:4.1.10-1) unstable; urgency=medium * New upstream release; bug fixes only * debian/copyright: fix mention to the license of guides/assets/javascripts/jquery.min.js * Drop transitional package ruby-activesupport-2.3; it was only needed for upgrades from wheezy. * Drop Breaks:/Replaces: relationships against packages provided by old versioned source packages (e.g. *-2.3, *-3.2, *-4.0). -- Antonio Terceiro Sun, 24 May 2015 18:11:04 -0300 rails (2:4.1.8-1) unstable; urgency=medium * New upstream release - Includes only bug fixes and no behavior changes. In special, includes fix for [CVE-2014-7818] and [CVE-2014-7829] (Arbitrary file existence disclosure in Action Pack) (Closes: #770934) * Add new transitional binary package ruby-activesupport-2.3 plus appropriate Breaks:/Replaces: fieds in all binary packages to ensure upgrades from wheezy work (Closes: #768850) - Many thanks to Andreas Beckmann for helping debug the upgrade issue. -- Antonio Terceiro Tue, 25 Nov 2014 16:51:50 -0200 rails (2:4.1.6-2) unstable; urgency=medium * fix upgrades from wheezy: - Remove Breaks: against old packages provided by previous versions of Rails The Replaces: fields, left untouched, outght to be enough. - ruby-actionview: Replaces ruby-actionpack-{2.3,3.2} since ruby-actionview contains files that used to be in ruby-actionpack-* - ruby-railties: Breaks/Replaces rails (<< 2:4) since ruby-railties contains /usr/bin/rails which used to be in rails. * debian/copyright: minor updates -- Antonio Terceiro Tue, 30 Sep 2014 18:33:36 -0300 rails (2:4.1.6-1) unstable; urgency=medium * New upstream release * debian/patches/relax-dependencies.patch: dropped, not necessary anymore -- Antonio Terceiro Fri, 26 Sep 2014 15:59:24 -0300 rails (2:4.1.5-1) unstable; urgency=high * New upstream release - Fixes CVE-2014-3514: data validation bypass vulnerability * debian/watch: update to fetch new releases from github. -- Antonio Terceiro Mon, 18 Aug 2014 15:19:04 -0300 rails (2:4.1.4-5) unstable; urgency=medium * ruby-actionmailer: relax dependency on ruby-mail to work with the 2.6.x series -- Antonio Terceiro Mon, 04 Aug 2014 14:38:18 -0300 rails (2:4.1.4-4) unstable; urgency=medium * ruby-rails: - add Recommends: - ruby-jquery-rails - ruby-coffee-rails - ruby-sqlite3 - ruby-sass-rails - ruby-uglifier - ruby-spring - ruby-turbolinks - ruby-jbuilder - ruby-sdoc - add Breaks/Replaces: rails3 - bump Depends: ruby-sprockets-rails to (>= 2.1.3-1~) - add Depends: ruby-treetop - move ruby-activesuppport-3.2 from Breaks: to Conflicts: - remove Breaks: rails (<< 2:4.1) since we now also provide a `rails`` binary * ruby-railties: - remove Breaks: rails (<< 3:3.2.0) * ruby-actionmailer: - drop Depends: ruby-mail (<< 2.6) cfe https://github.com/rails/rails/commit/bb0890d * debian/tests/control: fix test dependencies to rails and *not* rails-3.2; add needs-recommends instead of explicitly listing the recommended packages * debian/patches/mona_lisa.jpg_is_PD-Art_and_has_been_removed.patch: removed as it does not make sense anymore (mona_lisa.jpg is just there). -- Antonio Terceiro Sun, 03 Aug 2014 00:24:26 -0300 rails (2:4.1.4-3) unstable; urgency=medium * Re-add `rails` binary package * Improve description for ruby-railties -- Antonio Terceiro Sat, 26 Jul 2014 10:12:46 -0300 rails (2:4.1.4-2) unstable; urgency=medium [ Antonio Terceiro ] * Don't install nonsensical binary from activesupport [ Ondřej Surý ] * Merge autopkgtests from rails-3.2 * Add missing sources for shCore.js and jquery.min.js * Upload to unstable since no objections were raised to the RoR Debian transition plan * Remove repack script since there's nothing non-free in the upstream tarball (Closes: #742407) * Keep the guides/ (CC-BY-SA-3.0) and mona_lisa.jpg (PD), but document that in d/copyright -- Ondřej Surý Wed, 16 Jul 2014 17:19:07 +0200 rails (2:4.1.4-1) experimental; urgency=medium [ Antonio Terceiro ] * debian/rules: adapt dh_clean call [ Christian Hofstaedtler ] * Relax dependencies * Run bundle install --local, as in Debian Rails 3.2 [ Ondřej Surý ] * New upstream version 4.1.4 * Drop versioning from rails package, we won't to provide just the last stable upstream major version * Update dependencies in d/control based on information from gemspec files * Add ruby-actionview documentation * Add conflict with old rails package * Bump epoch to 2: to replace old virtual packages * Update patches for 4.1.4 release * Upload to experimental, so we can let the dust settle... -- Ondřej Surý Wed, 16 Jul 2014 15:22:28 +0200 rails-4.0 (4.0.2+dfsg-2) unstable; urgency=low * Fix dependency -- ruby-rack doesn't have epoch (Closes: #731347) * Move ruby-activerecord-deprecated-finders from Depends to Recommends -- Ondřej Surý Thu, 12 Dec 2013 13:15:00 +0100 rails-4.0 (4.0.2+dfsg-1) unstable; urgency=low [ Antonio Terceiro ] * ruby-actionpack-4.0: tighten versioned dependency on ruby-rack to take epoch into account. [ Ondřej Surý ] * New upstream version 4.0.2+dfsg, fixes: + [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) + [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails + [CVE-2013-6415] XSS Vulnerability in number_to_currency + [CVE-2013-6414] Denial of Service Vulnerability in Action View + [CVE-2013-6416] XSS Vulnerability in simple_format helper -- Ondřej Surý Wed, 04 Dec 2013 10:34:24 +0100 rails-4.0 (4.0.0+dfsg-1) unstable; urgency=low [ Antonio Terceiro ] * Migrate to use dh_ruby multi-binary support [ Ondřej Surý ] * Initial release of Rails 4.0 * Merge ruby-{active,action}*-X.Y packages into rails-4.0 * Add Copyright headers for syntaxhighlighter * New upstream version 4.0.0+dfsg * Update the package based on ftp-master review: + Weaken some Conflicts to Breaks (Keeping Conflicts for virtual packages) + Generate actionpack/lib/action_dispatch/journey/parser.rb in the build using racc + Fix copyright to include correct year: (c) 2004-2013 David Heinemeier Hansson + Add MIT or CC-BY license for HTML selector by Assaf Arkin + PD-Art license is inconclusive, so we just remove the wikimedia Mona Lisa picture and patch out the tests that were using it. (http://commons.wikimedia.org/wiki/Commons:Reuse_of_PD-Art_photographs) + Just remove whole guides.rubyonrails.org content from source tarball (We'll repackage it to ruby-rails-guides-4.0 as soon as we clear the licensing with upstream.) + MIT-LICENSE in templates is needed for templating new projects, add a lintian-override * Add dversionmangle to debian/watch -- Ondřej Surý Fri, 19 Jul 2013 15:35:13 +0200