2012
rails (2.3.5-1.2+squeeze2) stable-security; urgency=low
* Fix security regression caused by pulling invalid upstream fix
(Closes: #629067)
-- Ondřej Surý <ondrej@debian.org> Fri, 20 Jan 2012 17:29:27 +0100
2011
rails (2.3.5-1.2+squeeze1) stable-security; urgency=low
* Fix SQL Injection Vulnerability in Ruby on Rails (CVE-2011-2930) * Fix parse error in strip_tags vulnerability (CVE-2011-2931) * Fix response splitting vulnerability (CVE-2011-3186) * Adopt the package under DRE
-- Ondřej Surý <ondrej@debian.org> Mon, 29 Aug 2011 13:33:15 +0200
rails (2.3.5-1.2+squeeze0.1) stable-security; urgency=low
* Non-maintainer upload. * Fix CVE-2011-0446: Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors. * Fix CVE-2011-0447: Change the CSRF whitelisting to only apply to get requests (Closes: #614864)
-- Ondřej Surý <ondrej@debian.org> Mon, 30 May 2011 09:43:10 +0200
2010
rails (2.3.5-1.2) unstable; urgency=high
* Non-maintainer upload. [ Laurent Bigonville ] * Fix documentation about default listening address (Closes: #583149) [ Gunnar Wolf ] * Modified a string that recommends the user to do Very Bad Things (Closes: #603048)
-- Mehdi Dogguy <mehdi@debian.org> Mon, 27 Dec 2010 20:38:02 +0100
rails (2.3.5-1.1) unstable; urgency=low
* Non-maintainer upload.
* Added missing build-dependencies for rails-ruby1.8 on libactionpack-
ruby1.8, libactionmailer-ruby1.8 and libactiveresource-ruby1.8
(Closes: #587048)
* Fixed broken symlink to railties on new project generator (Closes:
#583219)
-- Gunnar Wolf <gwolf@debian.org> Thu, 26 Aug 2010 12:36:28 -0500
rails (2.3.5-1) unstable; urgency=low
* New upstream release (closes: #547658) * Package is now split up and non-core rails components, like AR, are on the ruby load path. (closes: #469524, #517328) * debian/control + Depend on rubygems. + Suggest thin or thin1.8 as a possible server to run your production environment on. This is particularly useful if it is already being proxied. + xml-simple is no longer used by rails + Updated Standard to 3.8.4
-- Adam Majer <adamm@zombino.com> Sun, 23 May 2010 01:21:31 -0500
2009
rails (2.2.3-1) unstable; urgency=high
* New upstream release (closes: #545063) + Fixes XSS security hole [CVE-2009-3009] + Fixes timing issue with cookie store [CVE-2009-3086] * Remove dependency on ruby-dbi, as it is not required by any of the sources. * Correct dependency on fixed libxml-simple-ruby to 1.0.11-2 or later (closes: #538982) * debian/control + Change section from web to ruby + Updated to debhelper 7.0+ + Standards updated to 3.8.3 - no changes
-- Adam Majer <adamm@zombino.com> Fri, 11 Sep 2009 13:53:42 -0500
rails (2.2.2-1.1) unstable; urgency=low
* Non-maintainer upload. * Build-depends on rubygems. (Closes: #522009)
-- Tiago Bortoletto Vaz <tiago@debian-ba.org> Thu, 18 Jun 2009 11:41:19 -0300
rails (2.2.2-1) unstable; urgency=low
* New upstream release (closes: #510580, 510580) + fixes the problem with migration with symbolic field types (closes: #511860) * debian/control: + Depend on Rake 0.8.3 or later + Build-Depends-Indep on libmocha-ruby for unit tests + Move most of the build dependencies to Build-Depends-Indep + Remove the predepends as Lenny is released * Load XMLSimple without specifying a path (closes: #514582) * Add an explanation how to configure non-packaged rails adds to work with Debian version of rails. Also include a tiny script to help in this effort. Tomas Pospisek provided the patch. (closes: #499187)
-- Adam Majer <adamm@zombino.com> Tue, 03 Mar 2009 12:40:53 -0600
2008
rails (2.1.0-5) unstable; urgency=high
* Sanitize the URLs passed to redirect_to to prevent a potential
response splitting attack. Patch from upstream.
-- Adam Majer <adamm@zombino.com> Sun, 19 Oct 2008 12:17:55 -0500
rails (2.1.0-4) unstable; urgency=low
* Added a fix for binary data corruption with PostgreSQL backend. This
occurred whenever the binary data included ASCII value of \ followed
by three numbers.
* The fix in ActiveRecord to address SQL injection in :limit and :offset
was not complete. MySQL backend was still affected as it redefined the
problematic functions. Pulled in upstream patch. CVE-2008-4094
(closes: #500791)
-- Adam Majer <adamm@zombino.com> Tue, 23 Sep 2008 11:33:58 -0500
rails (2.1.0-3) unstable; urgency=high
* Security fix pulled from upstream for a REXML expansion
DoS. (CVE-2008-3790)
-- Adam Majer <adamm@zombino.com> Tue, 09 Sep 2008 00:00:34 -0500
rails (2.1.0-2) unstable; urgency=low
* Remove dependency on rubygems for the build process. (closes:
#490419)
* Use also use Debian supplied gems 'builder' and 'xml-simple'
instead of using the upstream's supplied version, which is
redundant.
* Remove extraneous depends on rubygems. It is already depended on
through libruby1.8-extras (closes: #491125)
-- Adam Majer <adamm@zombino.com> Mon, 21 Jul 2008 12:14:08 -0500
rails (2.1.0-1) unstable; urgency=low
* New upstream release
+ No longer breaks with ruby 1.8.7 (closes: #484351)
* Use libjs-prototype prototype library instead of upstream
bundled (closes: #475288)
* Added Vcs-* and Homepage data to debian/control
* doc-base section changed to 'Programming'
-- Adam Majer <adamm@zombino.com> Fri, 04 Jul 2008 18:00:20 -0500
rails (2.0.2-2) unstable; urgency=low
* Added upstream patch from ticket #11127 to support the newer
ruby-pg. (closes: #476449)
* Added dependency on rubygems (closes: #468206)
* Sqlite3 is now the default DB used, if another is not specified when
the project is initially created. (closes: #468803)
-- Adam Majer <adamm@zombino.com> Tue, 22 Apr 2008 13:21:16 -0500
rails (2.0.2-1.1) unstable; urgency=low
* Non-maintainer upload.
* Fix FTBFS by replacing File.cp with a simple "cp" call. Patch by Michael
Schulte, thanks. (Closes: #464285)
-- Marc 'HE' Brockschmidt <he@debian.org> Sun, 09 Mar 2008 13:44:25 +0100
2007
rails (2.0.2-1) unstable; urgency=low
* New upstream release
+ SQLite3 is now the default database, instead of MySQL
+ [config/environments/production.rb] production mode will now
longer cache templates meaning they will load A LOT faster but for
any changes to appear, one will have to reload the entire
application.
-- Adam Majer <adamm@zombino.com> Sat, 22 Dec 2007 22:22:59 -0600
rails (2.0.1-2) unstable; urgency=low
* Added Pre-Depends on dpkg (>= 1.10.24) as a workaround to Debian
install scripts do not seem to be updated since beginning
of century. Can't upload bzip2 deb compressed deb without adding
this superfluous depend.
* Move libmocha-ruby1.8 from Depends to Recommends as it is only
needed for unit testing.
* Give in and depend on libruby1.8-extras. We need this to satisfy
dependencies on OpenSSL and the ever so popular rubygems, though
rails will continue to work if rubygems 'gem' fails.
-- Adam Majer <adamm@zombino.com> Tue, 18 Dec 2007 00:33:47 -0600
rails (2.0.1-1) unstable; urgency=low
* New upstream release (closes: #454909) + ActionWebservice is no more - rolled into ActionResource + SOAP support removed * Use bzip2 to compress the deb, instead of the default (gzip) * Update Standards version to 3.7.3 - no changes needed * Added a lot more exceptions to lintian checks - rails does not need all script executable.
-- Adam Majer <adamm@zombino.com> Tue, 11 Dec 2007 18:48:45 -0600
rails (1.2.6-1) unstable; urgency=high
* New upstream release
+ Fixes a previous session-fixation attack vector that was not
completely fixed (see 1.2.5-1 changelog) [CVE-2007-6077] (closes:
#452748)
* Use bash systax in bash script instead of ruby syntax. Fixes the
-I/--internal parameter so one can pass switches directly to the
upstream rails ruby script (closes: #381295, #390886)
-- Adam Majer <adamm@zombino.com> Tue, 27 Nov 2007 22:22:34 -0600
rails (1.2.5-1) unstable; urgency=low
* This is a new upstream release that addresses problems not
corrected in 1.2.4 or regressions.
+ to_json XSS [CVE-2007-3227] is really closed now
+ Potential Information Disclosure or DoS with Hash#from_xml
[CVE-2007-5379]
+ Session Fixation attacks. [CVE-2007-5380] URL based sessions are
now disabled by default. Session ids are only accepted from
cookies by default now.
-- Adam Majer <adamm@zombino.com> Sun, 14 Oct 2007 21:12:34 -0500
rails (1.2.4-1) unstable; urgency=low
* New upstream release. Fixes at least 2 XSS bugs.
+ Secure #sanitize, #strip_tags, and #strip_links helpers against
xss attacks. Upstream changeset 7589
+ to_json did not escape values which allows for XSS. Applied
upstream changesets 6893, 6894. This bug as also been assigned
designation CVE-2007-3227 (closes: #429177)
* Add dependency on Sqlite3 as ActiveRecord supports this DB as
well
* Add dependency on libmocha which is needed by some unit tests
-- Adam Majer <adamm@zombino.com> Mon, 08 Oct 2007 11:27:25 -0500
rails (1.2.3-2) unstable; urgency=low
* Add mojo for doc-base document registration thanks to the patch by
Remi Vanicat. (closes: 386689)
* Upload to Sid now that Etch is out
-- Adam Majer <adamm@zombino.com> Sun, 06 May 2007 17:31:29 -0500
rails (1.2.3-1) experimental; urgency=low
* New upstream release
-- Adam Majer <adamm@zombino.com> Mon, 19 Mar 2007 13:36:52 -0500
rails (1.2.2-2) experimental; urgency=low
* We cannot remove the link vendor/rails, but we can point it so it
is not recursive. Recursive links seem to break eclipse and lack
of vendor/rails breaks rails.
The link target will create a non-recursive link, but a rails
deployment that copies the rails directories will still contain
recursive symlink. The problem is really in Eclipse though. It
should handle recursive symlinks.
-- Adam Majer <adamm@zombino.com> Tue, 20 Feb 2007 13:22:24 -0600
rails (1.2.2-1) experimental; urgency=low
* New upstream release (closes: #408688) * Remove link that crashes eclipse (closes: #405344)
-- Adam Majer <adamm@zombino.com> Tue, 20 Feb 2007 12:08:03 -0600
rails (1.1.6-3) unstable; urgency=low
* Remove the 12_options patch which actually breaks select.
(closes: #406658)
-- Adam Majer <adamm@zombino.com> Sun, 14 Jan 2007 12:41:58 -0600
rails (1.1.6-2) unstable; urgency=low
* [12_options] Fixes inconsistent behavior of select helper
functions.
* Added libfcgi-ruby1.8 to Suggests
* Conflict with libdevel-logger-ruby1.8 until after Etch is released
(closes: #405555)
-- Adam Majer <adamm@zombino.com> Thu, 11 Jan 2007 00:01:34 -0600
2006
rails (1.1.6-1) unstable; urgency=emergency
* New upstream 'security hole fix' release
+ This one fixes the fix in 1.1.5 as that one was still
vulnerable. (closes: #382255)
-- Adam Majer <adamm@zombino.com> Thu, 10 Aug 2006 13:43:01 -0500
rails (1.1.5-1) unstable; urgency=emergency
* New upstream release
+ Fixes a remote security hole [Bugtraq 19454]
-- Adam Majer <adamm@zombino.com> Thu, 10 Aug 2006 10:50:13 -0500
rails (1.1.4-2) unstable; urgency=low
* Change default listening socket to 127.0.0.1 from 0.0.0.0
-- Adam Majer <adamm@zombino.com> Thu, 27 Jul 2006 21:56:53 -0500
rails (1.1.4-1) unstable; urgency=low
* New upstream release
* Moved build-depends-indep to build-depends to prevent build
failures.
-- Adam Majer <adamm@zombino.com> Mon, 10 Jul 2006 14:06:08 -0500
rails (1.1.2-1) unstable; urgency=low
* New upstream release
* Added support to specify database name (using -D) and to specify
options that will be passed to rails script directly (-I). Added
these to manpage as well. (closes: #361990)
* Depend and build-depend on rake >7.0 (closes: #362890)
* Updated standards to version 3.7.2. No changes.
-- Adam Majer <adamm@zombino.com> Sun, 14 May 2006 01:08:49 -0500
rails (1.1.0release-1) unstable; urgency=low
* New upstream release
* Added a link to railties/config directory as an example of
configuration files
-- Adam Majer <adamm@zombino.com> Tue, 4 Apr 2006 14:05:04 -0500
rails (1.1.0rc1-2) unstable; urgency=low
* Fixed a problem that prevents rails from creating new projects
thanks to Nobuhiro IMAI (closes: #359227)
-- Adam Majer <adamm@zombino.com> Mon, 27 Mar 2006 11:13:21 -0600
rails (1.1.0rc1-1) unstable; urgency=low
* New upstream version.
+ Fixes FTBFS with new rdoc (closes: #357011)
* Changed vendor/rails link to be relative, not absolute when first
created.
-- Adam Majer <adamm@zombino.com> Sun, 26 Mar 2006 00:23:24 -0600
rails (1.0.0-2) unstable; urgency=low
* Applied a patch to correctly set rdoc options. (closes: #357001)
-- Adam Majer <adamm@zombino.com> Sat, 25 Mar 2006 21:02:26 -0600
2005
rails (1.0.0-1) unstable; urgency=low
* New upstream release
+ Now handles multiple databases (closes: #341496)
* Modified Suggests: to include mod_fcgid (closes: #339953)
-- Adam Majer <adamm@zombino.com> Thu, 15 Dec 2005 12:40:38 -0600
rails (0.14.3-1) unstable; urgency=low
* New upstream release
* Modified Suggests: to include mod-ruby for Apache2 users. (closes:
#331233)
* Build-Depend on rake > 0.6.0 (closes: #333700)
* /usr/bin/rails now creates a rails->. symlink in vendor directory. This is
needed to sidestep the gems requirements
-- Adam Majer <adamm@zombino.com> Thu, 13 Oct 2005 18:38:16 -0500
rails (0.13.1-2) unstable; urgency=low
* Fixed logger problems such that it works with both 1.8.2 and 1.8.3
(closes: #330400). Upstream changes are:
+ Fixed clean logger to work with Ruby 1.8.3 Logger class (#2245)
+ Clean logger is compatible with both 1.8.2 and 1.8.3 Logger. (#2263)
[Michael Schuerig <michael@schuerig.de>]
-- Adam Majer <adamm@zombino.com> Thu, 29 Sep 2005 16:24:22 -0500
rails (0.13.1-1) unstable; urgency=low
* New upstream release
-- Adam Majer <adamm@zombino.com> Mon, 11 Jul 2005 10:22:39 -0500
rails (0.13.0-1) unstable; urgency=low
* New upstream release
+ Fixes problem with action web service (closes: #317044)
* Remove an unnecessary depend on libtest-unit-ruby (closes: #315254)
* Updated standards to 3.6.2
-- Adam Majer <adamm@zombino.com> Wed, 6 Jul 2005 18:59:12 -0500
rails (0.12.1-2) unstable; urgency=low
* Enabled patch supporting PostgreSQL schemas
* Added routing patch (upstream patch 1375). This patch changes routing such
that the longest possible path is matched against the controller, not the
first possible path.
-- Adam Majer <adamm@zombino.com> Mon, 30 May 2005 11:47:51 -0500
rails (0.12.1-1) unstable; urgency=low
* New upstream release. Packaged SVN changeset 1234 as rails 0.12.1 due to
lack of upstream tag (closes: #306389)
* Added some upstream patches
+ Fixed acts_as_list where deleting an item that was removed from the
list would ruin the positioning of other list items #1197 [Jamis Buck]
+ This patch adds new options `encoding' and `min_messages' to
database.yml for PostgreSQL
+ Patch removing extraneous comma in count() (#1156)
-- Adam Majer <adamm@zombino.com> Wed, 27 Apr 2005 20:55:32 -0500
rails (0.12.0-1) unstable; urgency=low
* New upstream release
-- Adam Majer <adamm@zombino.com> Tue, 19 Apr 2005 14:17:17 -0500
rails (0.11.1-3) unstable; urgency=low
* Turned off ActiveRecord::Base.@@colorize_logging. Colorized logs are
difficult to view on any other than background than black and difficult to
parse.
-- Adam Majer <adamm@zombino.com> Mon, 18 Apr 2005 17:01:18 -0500
rails (0.11.1-2) unstable; urgency=low
* Fixed the Inflector patch
-- Adam Majer <adamm@zombino.com> Wed, 30 Mar 2005 17:29:29 -0600
rails (0.11.1-1) unstable; urgency=low
* New upstream release
* Added some patches (submitted upstream to #950, #962) that should add
support for PostgreSQL schemas to Fixtures as well as to enable static
mapping between table names and classes using set_table_name (only set in
Inflector if the name is not the one guessed).
-- Adam Majer <adamm@zombino.com> Sun, 27 Mar 2005 14:56:35 -0600
rails (0.11.0-2) unstable; urgency=low
* Fix broken config/environment.rb to use "old" vendor directories.
-- Adam Majer <adamm@zombino.com> Fri, 25 Mar 2005 01:28:05 -0600
rails (0.11.0-1) unstable; urgency=low
* New upstream release
- Ajax, Pagination, Non-vhost, Incoming mail support
* Included tmail in the vendor distribution. Rails extended tmail with some
new code and Debian's distribution of tmail is not sufficient.
-- Adam Majer <adamm@zombino.com> Wed, 23 Mar 2005 13:29:19 -0600
rails (0.10.1-7) unstable; urgency=low
* Hmmmm. Fixed the missing Depends problem.. (closes: #300637)
-- Adam Majer <adamm@zombino.com> Sun, 20 Mar 2005 16:27:56 -0600
rails (0.10.1-6) unstable; urgency=low
* Simplify depends. libruby >= 1.8.2-3 reduces the number of packages in the
archive. Thank you ruby mainteiners!
-- Adam Majer <adamm@zombino.com> Tue, 15 Mar 2005 15:53:07 -0600
rails (0.10.1-5) unstable; urgency=low
* Added rdoc to build depends thanks to Roland Stigge (closes: #299381)
-- Adam Majer <adamm@zombino.com> Sun, 13 Mar 2005 16:31:29 -0600
rails (0.10.1-4) unstable; urgency=low
* Added libredcloth-ruby1.8 to Depends. Now if someone would package
bluecloth as well (hint, hint!)
-- Adam Majer <adamm@zombino.com> Sat, 12 Mar 2005 00:52:26 -0600
rails (0.10.1-3) unstable; urgency=low
* Rewrote /usr/bin/rails to accomodate updates
+ /vendor and upstream documentation are now symlinks by default. -l
command line option was removed. This allows for automated updates to
latest rails.
+ Added -C command line option one wants a copy of /vendor or rails
documentation instead of symlinks
+ Added -F commend line option to force overwrite of user files during an
update
* Rails documentation is now pregenerated and located in
/usr/share/doc/rails/html.
* Added rake as a build dependecy
-- Adam Majer <adamm@zombino.com> Fri, 11 Mar 2005 21:41:02 -0600
rails (0.10.1-2) unstable; urgency=low
* Updated dependencies. All dependencies now checked. Some non-critical
ones like memcache are missing in Debian, but rails should be unaffected.
-- Adam Majer <adamm@zombino.com> Mon, 7 Mar 2005 15:39:23 -0600
rails (0.10.1-1) unstable; urgency=low
* New upstream release * Fix more missing dependencies * Removed bash>3 dependency in /usr/bin/rails script (closes: #298180) * Added a watch file to monitor later upstream version. Not good for updates though since upstream doesn't seem to have a true source tar.gz file. Source distribution only available from tagged svn. * Set default socket for MySQL to /var/run/mysqld/mysqld.sock thanks for a patch from Alberto Brealey-Guzman (closes: #298258)
-- Adam Majer <adamm@zombino.com> Sat, 7 Mar 2005 13:51:15 -0600
rails (0.10.0-1) unstable; urgency=low
* New upstream release
+ Adds web service support (actionwebservice)
+ Adds URI routing to end the Apache mod_rewrite hell
+ Added Oracle support. Rails now supports PostgreSQL, MySQL, SQLite,
MSSQL and Oracle database backends.
+ and many bug fixes
* Fixed depend
-- Adam Majer <adamm@zombino.com> Sun, 27 Feb 2005 20:52:29 -0600
rails (0.9.5-1) unstable; urgency=low
* Initial Release (closes: #293055)
-- Adam Majer <adamm@zombino.com> Fri, 4 Feb 2005 21:20:52 -0600