Created
January 17, 2013 22:05
-
-
Save ack/4560251 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ==> actionmailer/CHANGELOG <== | |
| ## Rails 3.0.18 | |
| ## Rails 3.0.17 (Aug 9, 2012) | |
| * No changes. | |
| ## Rails 3.0.16 (Jul 26, 2012) | |
| * No changes. | |
| ## Rails 3.0.14 (Jun 12, 2012) | |
| * No changes. | |
| * Rails 3.0.13 (May 31, 2012) | |
| * No changes. | |
| *Rails 3.0.10 (August 16, 2011)* | |
| *No changes. | |
| *Rails 3.0.9 (June 16, 2011)* | |
| ==> actionpack/CHANGELOG <== | |
| ## Rails 3.0.19 | |
| * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] | |
| ## Rails 3.0.18 | |
| ## Rails 3.0.17 (Aug 9, 2012) | |
| * There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the | |
| helper doesn't correctly handle malformed html. As a result an attacker can | |
| execute arbitrary javascript through the use of specially crafted malformed | |
| html. | |
| *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino* | |
| * When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. | |
| Vulnerable code will look something like this: | |
| select_tag("name", options, :prompt => UNTRUSTED_INPUT) | |
| *Santiago Pastorino* | |
| ## Rails 3.0.16 (Jul 26, 2012) | |
| * Do not convert digest auth strings to symbols. CVE-2012-3424 | |
| ==> activemodel/CHANGELOG <== | |
| ## Rails 3.0.18 | |
| ## Rails 3.0.17 (Aug 9, 2012) | |
| * No changes. | |
| ## Rails 3.0.16 (Jul 26, 2012) | |
| * No changes. | |
| ## Rails 3.0.14 (Jun 12, 2012) | |
| * No changes. | |
| * Rails 3.0.13 (May 31, 2012) | |
| * No changes. | |
| *Rails 3.0.10 (August 16, 2011)* | |
| *No changes. | |
| *Rails 3.0.9 (June 16, 2011)* | |
| ==> activerecord/CHANGELOG <== | |
| ## Rails 3.0.19 | |
| * Fix querying with an empty hash *Damien Mathieu* [CVE-2013-0155] | |
| ## Rails 3.0.18 | |
| * CVE-2012-5664 ensure that options are never taken from the first parameter | |
| ## Rails 3.0.17 (Aug 9, 2012) | |
| * Fix type_to_sql with text and limit on mysql/mysql2 (GH #7252) | |
| ## Rails 3.0.16 (Jul 26, 2012) | |
| * No changes. | |
| ## Rails 3.0.14 (Jun 12, 2012) | |
| * protect against the nesting of hashes changing the | |
| table context in the next call to build_from_hash. This fix | |
| covers this case as well. | |
| CVE-2012-2695 | |
| * Rails 3.0.13 (May 31, 2012) | |
| ==> activeresource/CHANGELOG <== | |
| ## Rails 3.0.18 | |
| ## Rails 3.0.17 (Aug 9, 2012) | |
| * No changes. | |
| ## Rails 3.0.16 (Jul 26, 2012) | |
| * No changes. | |
| ## Rails 3.0.14 (Jun 12, 2012) | |
| * No changes. | |
| * Rails 3.0.13 (May 31, 2012) | |
| * No changes. | |
| *Rails 3.0.10 (August 16, 2011)* | |
| * No changes. | |
| *Rails 3.0.9 (June 16, 2011)* | |
| ==> activesupport/CHANGELOG <== | |
| ## Rails 3.0.19 (Jan 8, 2012) ## | |
| * Hash.from_xml raises when it encounters type="symbol" or type="yaml". | |
| Use Hash.from_trusted_xml to parse this XML. | |
| CVE-2013-0156 | |
| *Jeremy Kemper* | |
| ## Rails 3.0.18 | |
| ## Rails 3.0.17 (Aug 9, 2012) | |
| * ERB::Util.html_escape now escapes single quotes. [Santiago Pastorino] | |
| ## Rails 3.0.16 (Jul 26, 2012) | |
| * No changes. | |
| ## Rails 3.0.14 (Jun 12, 2012) | |
| * No changes. | |
| * Rails 3.0.13 (May 31, 2012) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment