Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-actionpack-8.0 for
openSUSE:Factory checked in at 2024-12-15 12:37:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-8.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionpack-8.0.new.29675 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-8.0"
Sun Dec 15 12:37:07 2024 rev:2 rq:1230930 version:8.0.0.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionpack-8.0/rubygem-actionpack-8.0.changes
2024-12-13 22:34:02.739332000 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-actionpack-8.0.new.29675/rubygem-actionpack-8.0.changes
2024-12-15 12:40:00.317244274 +0100
@@ -1,0 +2,6 @@
+Wed Dec 11 00:46:58 UTC 2024 - Marcus Rueckert <mrueck...@suse.de>
+
+- Update to version 8.0.0.1:
+
https://rubyonrails.org/2024/12/10/Rails-Versions-8-0-0-1-7-2-2-1-7-1-5-1-7-0-8-7-have-been-released
+
+-------------------------------------------------------------------
Old:
----
actionpack-8.0.0.gem
New:
----
actionpack-8.0.0.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-8.0.spec ++++++
--- /var/tmp/diff_new_pack.nb4Dkv/_old 2024-12-15 12:40:00.845266217 +0100
+++ /var/tmp/diff_new_pack.nb4Dkv/_new 2024-12-15 12:40:00.849266384 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-actionpack-8.0
-Version: 8.0.0
+Version: 8.0.0.1
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
++++++ actionpack-8.0.0.gem -> actionpack-8.0.0.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2024-11-07 23:30:07.000000000 +0100
+++ new/CHANGELOG.md 2024-12-10 22:46:15.000000000 +0100
@@ -1,3 +1,13 @@
+## Rails 8.0.0.1 (December 10, 2024) ##
+
+* Add validation to content security policies to disallow spaces and
semicolons.
+ Developers should use multiple arguments, and different directive methods
instead.
+
+ [CVE-2024-54133]
+
+ *Gannon McGibbon*
+
+
## Rails 8.0.0 (November 07, 2024) ##
* No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/content_security_policy.rb
new/lib/action_dispatch/http/content_security_policy.rb
--- old/lib/action_dispatch/http/content_security_policy.rb 2024-11-07
23:30:07.000000000 +0100
+++ new/lib/action_dispatch/http/content_security_policy.rb 2024-12-10
22:46:15.000000000 +0100
@@ -26,6 +26,9 @@
# policy.report_uri "/csp-violation-report-endpoint"
# end
class ContentSecurityPolicy
+ class InvalidDirectiveError < StandardError
+ end
+
class Middleware
def initialize(app)
@app = app
@@ -320,9 +323,9 @@
@directives.map do |directive, sources|
if sources.is_a?(Array)
if nonce && nonce_directive?(directive, nonce_directives)
- "#{directive} #{build_directive(sources, context).join(' ')}
'nonce-#{nonce}'"
+ "#{directive} #{build_directive(directive, sources,
context).join(' ')} 'nonce-#{nonce}'"
else
- "#{directive} #{build_directive(sources, context).join(' ')}"
+ "#{directive} #{build_directive(directive, sources,
context).join(' ')}"
end
elsif sources
directive
@@ -332,8 +335,22 @@
end
end
- def build_directive(sources, context)
- sources.map { |source| resolve_source(source, context) }
+ def validate(directive, sources)
+ sources.flatten.each do |source|
+ if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+ raise InvalidDirectiveError, <<~MSG.squish
+ Invalid Content Security Policy #{directive}: "#{source}".
+ Directive values must not contain whitespace or semicolons.
+ Please use multiple arguments or other directive methods instead.
+ MSG
+ end
+ end
+ end
+
+ def build_directive(directive, sources, context)
+ resolved_sources = sources.map { |source| resolve_source(source,
context) }
+
+ validate(directive, resolved_sources)
end
def resolve_source(source, context)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb 2024-11-07 23:30:07.000000000 +0100
+++ new/lib/action_pack/gem_version.rb 2024-12-10 22:46:15.000000000 +0100
@@ -12,7 +12,7 @@
MAJOR = 8
MINOR = 0
TINY = 0
- PRE = nil
+ PRE = "1"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2024-11-07 23:30:07.000000000 +0100
+++ new/metadata 2024-12-10 22:46:15.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionpack
version: !ruby/object:Gem::Version
- version: 8.0.0
+ version: 8.0.0.1
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2024-11-07 00:00:00.000000000 Z
+date: 2024-12-10 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 8.0.0
+ version: 8.0.0.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 8.0.0
+ version: 8.0.0.1
- !ruby/object:Gem::Dependency
name: nokogiri
requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 8.0.0
+ version: 8.0.0.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 8.0.0
+ version: 8.0.0.1
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 8.0.0
+ version: 8.0.0.1
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 8.0.0
+ version: 8.0.0.1
description: Web apps on Rails. Simple, battle-tested conventions for building
and
testing MVC web applications. Works with any Rack-compatible server.
email: da...@loudthinking.com
@@ -350,10 +350,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v8.0.0/actionpack/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v8.0.0/
+ changelog_uri:
https://github.com/rails/rails/blob/v8.0.0.1/actionpack/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v8.0.0.1/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v8.0.0/actionpack
+ source_code_uri: https://github.com/rails/rails/tree/v8.0.0.1/actionpack
rubygems_mfa_required: 'true'
post_install_message:
rdoc_options: []
