rubygem-actionpack-5_1-5.1.4-bp151.2.3.1

- CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack.
  There is a strong parameters bypass vector in ActionPack.
  (bsc#1172177)
- Added patch 0002-CVE-2020-8164.patch
- Renamed patch CVE-2019-5418_and_CVE-2019-5419.patch to
  0001-CVE-2019-5418_and_CVE-2019-5419.patch

- Add CVE-2019-5418_and_CVE-2019-5419.patch (CVE-2019-5418,
  CVE-2019-5419, bsc#1129272, bsc#1129271)
  * CVE-2019-5418:
    There is a possible file content disclosure vulnerability in
    Action View. Specially crafted accept headers in combination
    with calls to `render file:` can cause arbitrary files on the
    target server to be rendered, disclosing the file contents.
  * CVE-2019-5419:
    Specially crafted accept headers can cause the Action View
    template location code to consume 100% CPU, causing the server
    unable to process requests. This impacts all Rails applications
    that render views.
- Add series file for better patch handling with quilt

- Update to version 5.1.4
  see installed CHANGELOG.md

- Update to version 5.1.3

- update to version 5.1.1

- Add patch for fixing content type is nil
  Already merged into upstream and will be included in the next rails version 5.0.0.2
  https://github.com/rails/rails/pull/25950

- updated to version 5.0.0.1
  see installed CHANGELOG.md

- updated to rails 5.0 - see http://weblog.rubyonrails.org/2016/6/30/Rails-5-0-final/

- updated to version 4.2.6
  see installed CHANGELOG.md
  [#]# Rails 4.2.6 (March 07, 2016) ##
  * No changes.

- updated to version 4.2.5.2
  see installed CHANGELOG.md
  [#]# Rails 4.2.5.2 (February 26, 2016) ##
  * Do not allow render with unpermitted parameter.
    Fixes CVE-2016-2098.
  * Arthur Neves*
  [#]# Rails 4.2.5.1 (January 25, 2015) ##
  * No changes.

- updated to version 4.2.5.1
  see installed CHANGELOG.md

- updated to version 4.2.5
  see installed CHANGELOG.md
  [#]# Rails 4.2.5 (November 12, 2015) ##
  * `ActionController::TestCase` can teardown gracefully if an error is raised
    early in the `setup` chain.
  * Yves Senn*
  * Parse RSS/ATOM responses as XML, not HTML.
  * Alexander Kaupanin*
  * Fix regression in mounted engine named routes generation for app deployed to
    a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
    "/subdir/subdir/engine_path" instead of "/subdir/engine_path")
    Fixes #20920. Fixes #21459.
  * Matthew Erhard*
  * `url_for` does not modify its arguments when generating polymorphic URLs.
  * Bernerd Schaefer*
  * Update `ActionController::TestSession#fetch` to behave more like
    `ActionDispatch::Request::Session#fetch` when using non-string keys.
  * Jeremy Friesen*

- updated to version 4.2.4
  see installed CHANGELOG.md
  [#]# Rails 4.2.4 (August 24, 2015) ##
  * ActionController::TestSession now accepts a default value as well as
    a block for generating a default value based off the key provided.
    This fixes calls to session#fetch in ApplicationController instances that
    take more two arguments or a block from raising `ArgumentError: wrong
    number of arguments (2 for 1)` when performing controller tests.
  * Matthew Gerrior*
  * Fix to keep original header instance in `ActionDispatch::SSL`
    `ActionDispatch::SSL` changes headers to `Hash`.
    So some headers will be broken if there are some middlewares
    on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
  * Fumiaki Matsushima*

- updated to version 4.2.3
  see installed CHANGELOG.md
  [#]# Rails 4.2.3 (June 25, 2015) ##
  * Fix rake routes not showing the right format when
    nesting multiple routes.
    See #18373.
  * Ravil Bayramgalin*
  * Fix regression where a gzip file response would have a Content-type,
    even when it was a 304 status code.
    See #19271.
  * Kohei Suzuki*
  * Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
    Previously, an empty X_FORWARDED_HOST header would cause
    Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
    Actiondispatch::Http:URL.host to raise a NoMethodError.
  * Adam Forsyth*
  * Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
    Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
    prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
    is set, it takes precedence.
    Fixes #5122.
  * Yasyf Mohamedali*
  * Fix regression in functional tests. Responses should have default headers
    assigned.
    See #18423.
  * Jeremy Kemper*, *Yves Senn*

- updated to version 4.2.2
  see installed CHANGELOG.md
  [#]# Rails 4.2.2 (June 16, 2015) ##
  * No Changes *

- updated to version 4.2.1, see CHANGELOG.md

- update to 4.2.0

-  update to 4.1.9:
  * Fixed handling of positional url helper arguments when `format: false`.
  * Restore handling of a bare `Authorization` header, without `token=`
    prefix.
  * Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass
  * Fix a bug where malformed query strings lead to 500.
  * Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7829)
  * Fix arbitrary file existence disclosure in Action Pack (CVE-2014-7818)

- To get rails 4 running on SLE 11 i have switched the
  rb_build_versions definition to rub21 as it is activated within
  devel:languages:ruby. That way we can get running rails 4 on
  SLE 11 too.

- updated to version 4.1.6
  * Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
    ("Rosetta Flash")
  * Because URI paths may contain non US-ASCII characters we need to force
    the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
    This essentially replicates the functionality of the monkey patch to
    URI.parser.unescape in active_support/core_ext/uri.rb.
    Fixes #16104.
  * Generate shallow paths for all children of shallow resources.
    Fixes #15783.
  * JSONP responses are now rendered with the `text/javascript` content type
    when rendering through a `respond_to` block.
    Fixes #15081.
  * Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
    Fixes #15511.
  * ActionController::Parameters#require now accepts `false` values.
    Fixes #15685.

- - initial package