diff options
author | Dennis Schubert <mail@dennis-schubert.de> | 2016-01-26 16:29:18 +0300 |
---|---|---|
committer | Dennis Schubert <mail@dennis-schubert.de> | 2016-01-26 16:29:18 +0300 |
commit | c37154e6b30b73f52ee7883ec793b18d00a635c6 (patch) | |
tree | 5ccb5df8641e7af79fe30709a5766fd4c4edd47b | |
parent | cd119f319364cd0751abe454fb9d0f110355ea86 (diff) | |
parent | 33af30529a567f0504ff9e850bf30cf69f75c0b1 (diff) |
Merge branch 'hotfix/0.5.6.2'v0.5.6.2
-rw-r--r-- | Changelog.md | 11 | ||||
-rw-r--r-- | Gemfile | 2 | ||||
-rw-r--r-- | Gemfile.lock | 64 | ||||
-rw-r--r-- | config/defaults.yml | 2 |
4 files changed, 45 insertions, 34 deletions
diff --git a/Changelog.md b/Changelog.md index c6bb6cd75..a917cd788 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,3 +1,14 @@ +# 0.5.6.2 + +* Fix [CVE-2016-0751](https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc) - Possible Object Leak and Denial of Service attack in Action Pack +* Fix [CVE-2015-7581](https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE) - Object leak vulnerability for wildcard controller routes in Action Pack +* Fix [CVE-2015-7576](https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k) - Timing attack vulnerability in basic authentication in Action Controller +* Fix [CVE-2016-0752](https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00) - Possible Information Leak Vulnerability in Action View +* Fix [CVE-2016-0753](https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ) - Possible Input Validation Circumvention in Active Model +* Fix [CVE-2015-7577](https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g) - Nested attributes rejection proc bypass in Active Record +* Fix [CVE-2015-7579](https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc) - XSS vulnerability in rails-html-sanitizer +* Fix [CVE-2015-7578](https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI) - Possible XSS vulnerability in rails-html-sanitizer + # 0.5.6.1 * Fix Nokogiri CVE-2015-7499 @@ -1,6 +1,6 @@ source "https://rubygems.org" -gem "rails", "4.2.5" +gem "rails", "4.2.5.1" # Legacy Rails features, remove me! # responders (class level) diff --git a/Gemfile.lock b/Gemfile.lock index 44908d837..5383de2c6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -3,40 +3,40 @@ GEM remote: https://rails-assets.org/ specs: CFPropertyList (2.3.2) - actionmailer (4.2.5) - actionpack (= 4.2.5) - actionview (= 4.2.5) - activejob (= 4.2.5) + actionmailer (4.2.5.1) + actionpack (= 4.2.5.1) + actionview (= 4.2.5.1) + activejob (= 4.2.5.1) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.5) - actionview (= 4.2.5) - activesupport (= 4.2.5) + actionpack (4.2.5.1) + actionview (= 4.2.5.1) + activesupport (= 4.2.5.1) rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (4.2.5) - activesupport (= 4.2.5) + actionview (4.2.5.1) + activesupport (= 4.2.5.1) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) active_model_serializers (0.9.3) activemodel (>= 3.2) - activejob (4.2.5) - activesupport (= 4.2.5) + activejob (4.2.5.1) + activesupport (= 4.2.5.1) globalid (>= 0.3.0) - activemodel (4.2.5) - activesupport (= 4.2.5) + activemodel (4.2.5.1) + activesupport (= 4.2.5.1) builder (~> 3.1) - activerecord (4.2.5) - activemodel (= 4.2.5) - activesupport (= 4.2.5) + activerecord (4.2.5.1) + activemodel (= 4.2.5.1) + activesupport (= 4.2.5.1) arel (~> 6.0) activerecord-import (0.10.0) activerecord (>= 3.0) - activesupport (4.2.5) + activesupport (4.2.5.1) i18n (~> 0.7) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) @@ -445,7 +445,7 @@ GEM mime-types (2.99) mini_magick (4.3.6) mini_portile2 (2.0.0) - minitest (5.8.3) + minitest (5.8.4) mobile-fu (1.3.1) rack-mobile-detect rails @@ -526,16 +526,16 @@ GEM rack rack-test (0.6.3) rack (>= 1.0) - rails (4.2.5) - actionmailer (= 4.2.5) - actionpack (= 4.2.5) - actionview (= 4.2.5) - activejob (= 4.2.5) - activemodel (= 4.2.5) - activerecord (= 4.2.5) - activesupport (= 4.2.5) + rails (4.2.5.1) + actionmailer (= 4.2.5.1) + actionpack (= 4.2.5.1) + actionview (= 4.2.5.1) + activejob (= 4.2.5.1) + activemodel (= 4.2.5.1) + activerecord (= 4.2.5.1) + activesupport (= 4.2.5.1) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.5) + railties (= 4.2.5.1) sprockets-rails rails-assets-diaspora_jsxc (0.1.4) rails-assets-favico.js (~> 0.3.9) @@ -578,7 +578,7 @@ GEM activesupport (>= 4.2.0.beta, < 5.0) nokogiri (~> 1.6.0) rails-deprecated_sanitizer (>= 1.0.1) - rails-html-sanitizer (1.0.2) + rails-html-sanitizer (1.0.3) loofah (~> 2.0) rails-i18n (4.0.8) i18n (~> 0.7) @@ -600,9 +600,9 @@ GEM remotipart (~> 1.0) safe_yaml (~> 1.0) sass-rails (>= 4.0, < 6) - railties (4.2.5) - actionpack (= 4.2.5) - activesupport (= 4.2.5) + railties (4.2.5.1) + actionpack (= 4.2.5.1) + activesupport (= 4.2.5.1) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rainbow (2.0.0) @@ -847,7 +847,7 @@ DEPENDENCIES rack-protection (= 1.5.3) rack-rewrite (= 1.5.1) rack-ssl (= 1.4.1) - rails (= 4.2.5) + rails (= 4.2.5.1) rails-assets-diaspora_jsxc (~> 0.1.4)! rails-assets-highlightjs (= 9.0.0)! rails-assets-jakobmattsson--jquery-elastic (= 1.6.11)! diff --git a/config/defaults.yml b/config/defaults.yml index 6e6a46f7d..50daf2f93 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -4,7 +4,7 @@ defaults: version: - number: "0.5.6.1" # Do not touch unless doing a release, do not backport the version number that's in master + number: "0.5.6.2" # Do not touch unless doing a release, do not backport the version number that's in master heroku: false environment: url: "http://localhost:3000/" |