rails (2:4.1.8-1+deb8u4) jessie-security; urgency=high

  [ Salvatore Bonaccorso ]
  * add test script for CVE-2016-6316

  [ Antonio Terceiro ]
  * CVE-2016-6316.patch: update to fix regression with non-string arguments to
    tag options

 -- Antonio Terceiro <terceiro@debian.org>  Tue, 23 Aug 2016 16:59:26 -0300

rails (2:4.1.8-1+deb8u3) jessie-security; urgency=high

  * Security update
  * CVE-2016-6316: Possible XSS Vulnerability in Action View
    (Closes: Bug#834155)

 -- Antonio Terceiro <terceiro@debian.org>  Mon, 22 Aug 2016 13:35:11 -0300

rails (2:4.1.8-1+deb8u2) jessie-security; urgency=high

  * Security updates:
    - [CVE-2016-2098] Possible remote code execution vulnerability in Action
                      Pack
    - [CVE-2016-2097] Possible Information Leak Vulnerability in Action View.

 -- Antonio Terceiro <terceiro@debian.org>  Wed, 02 Mar 2016 12:03:46 -0300

rails (2:4.1.8-1+deb8u1) jessie-security; urgency=high

  * Security updates:
    - [CVE-2015-3227] Possible Denial of Service attack in Active Support
                      (Closes: #790487)
    - [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode
                      (Closes: #790486)
    - [CVE-2015-7576] Timing attack vulnerability in basic authentication in
                      Action Controller.
    - [CVE-2016-0751] Possible Object Leak and Denial of Service attack in
                      Action Pack
    - [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.
    - [CVE-2016-0752] Possible Information Leak Vulnerability in Action View
    - [CVE-2016-0753] Possible Input Validation Circumvention in Active Model
    - [CVE-2015-7581] Object leak vulnerability for wildcard controller routes
                      in Action Pack

 -- Antonio Terceiro <terceiro@debian.org>  Thu, 28 Jan 2016 11:12:33 -0200

rails (2:4.1.8-1) unstable; urgency=medium

  * New upstream release
    - Includes only bug fixes and no behavior changes. In special, includes
      fix for [CVE-2014-7818] and [CVE-2014-7829] (Arbitrary file existence
      disclosure in Action Pack) (Closes: #770934)
  * Add new transitional binary package ruby-activesupport-2.3 plus
    appropriate Breaks:/Replaces: fieds in all binary packages to ensure
    upgrades from wheezy work (Closes: #768850)
    - Many thanks to Andreas Beckmann for helping debug the upgrade issue.

 -- Antonio Terceiro <terceiro@debian.org>  Tue, 25 Nov 2014 16:51:50 -0200

rails (2:4.1.6-2) unstable; urgency=medium

  * fix upgrades from wheezy:
    - Remove Breaks: against old packages provided by previous versions of
      Rails The Replaces: fields, left untouched, outght to be enough.
    - ruby-actionview: Replaces ruby-actionpack-{2.3,3.2} since
      ruby-actionview contains files that used to be in ruby-actionpack-*
    - ruby-railties: Breaks/Replaces rails (<< 2:4) since ruby-railties
      contains /usr/bin/rails which used to be in rails.
  * debian/copyright: minor updates

 -- Antonio Terceiro <terceiro@debian.org>  Tue, 30 Sep 2014 18:33:36 -0300

rails (2:4.1.6-1) unstable; urgency=medium

  * New upstream release
  * debian/patches/relax-dependencies.patch: dropped, not necessary anymore

 -- Antonio Terceiro <terceiro@debian.org>  Fri, 26 Sep 2014 15:59:24 -0300

rails (2:4.1.5-1) unstable; urgency=high

  * New upstream release
    - Fixes CVE-2014-3514: data validation bypass vulnerability
  * debian/watch: update to fetch new releases from github.

 -- Antonio Terceiro <terceiro@debian.org>  Mon, 18 Aug 2014 15:19:04 -0300

rails (2:4.1.4-5) unstable; urgency=medium

  * ruby-actionmailer: relax dependency on ruby-mail to work with the 2.6.x
    series

 -- Antonio Terceiro <terceiro@debian.org>  Mon, 04 Aug 2014 14:38:18 -0300

rails (2:4.1.4-4) unstable; urgency=medium

  * ruby-rails:
    - add Recommends:
      - ruby-jquery-rails
      - ruby-coffee-rails
      - ruby-sqlite3
      - ruby-sass-rails
      - ruby-uglifier
      - ruby-spring
      - ruby-turbolinks
      - ruby-jbuilder
      - ruby-sdoc
    - add Breaks/Replaces: rails3
    - bump Depends: ruby-sprockets-rails to (>= 2.1.3-1~)
    - add Depends: ruby-treetop
    - move ruby-activesuppport-3.2 from Breaks: to Conflicts:
    - remove Breaks: rails (<< 2:4.1) since we now also provide a
      `rails`` binary
  * ruby-railties:
    - remove Breaks: rails (<< 3:3.2.0)
  * ruby-actionmailer:
    - drop Depends: ruby-mail (<< 2.6)
      cfe https://github.com/rails/rails/commit/bb0890d
  * debian/tests/control: fix test dependencies to rails and *not* rails-3.2;
    add needs-recommends instead of explicitly listing the recommended
    packages
  * debian/patches/mona_lisa.jpg_is_PD-Art_and_has_been_removed.patch: removed
    as it does not make sense anymore (mona_lisa.jpg is just there).

 -- Antonio Terceiro <terceiro@debian.org>  Sun, 03 Aug 2014 00:24:26 -0300

rails (2:4.1.4-3) unstable; urgency=medium

  * Re-add `rails` binary package
  * Improve description for ruby-railties

 -- Antonio Terceiro <terceiro@debian.org>  Sat, 26 Jul 2014 10:12:46 -0300

rails (2:4.1.4-2) unstable; urgency=medium

  [ Antonio Terceiro ]
  * Don't install nonsensical binary from activesupport

  [ Ondřej Surý ]
  * Merge autopkgtests from rails-3.2
  * Add missing sources for shCore.js and jquery.min.js
  * Upload to unstable since no objections were raised to the RoR Debian
    transition plan
  * Remove repack script since there's nothing non-free in the upstream
    tarball (Closes: #742407)
  * Keep the guides/ (CC-BY-SA-3.0) and mona_lisa.jpg (PD), but document
    that in d/copyright

 -- Ondřej Surý <ondrej@debian.org>  Wed, 16 Jul 2014 17:19:07 +0200

rails (2:4.1.4-1) experimental; urgency=medium

  [ Antonio Terceiro ]
  * debian/rules: adapt dh_clean call

  [ Christian Hofstaedtler ]
  * Relax dependencies
  * Run bundle install --local, as in Debian Rails 3.2

  [ Ondřej Surý ]
  * New upstream version 4.1.4
  * Drop versioning from rails package, we won't to provide just the last
    stable upstream major version
  * Update dependencies in d/control based on information from gemspec files
  * Add ruby-actionview documentation
  * Add conflict with old rails package
  * Bump epoch to 2: to replace old virtual packages
  * Update patches for 4.1.4 release
  * Upload to experimental, so we can let the dust settle...

 -- Ondřej Surý <ondrej@debian.org>  Wed, 16 Jul 2014 15:22:28 +0200

rails-4.0 (4.0.2+dfsg-2) unstable; urgency=low

  * Fix dependency -- ruby-rack doesn't have epoch (Closes: #731347)
  * Move ruby-activerecord-deprecated-finders from Depends to Recommends

 -- Ondřej Surý <ondrej@debian.org>  Thu, 12 Dec 2013 13:15:00 +0100

rails-4.0 (4.0.2+dfsg-1) unstable; urgency=low

  [ Antonio Terceiro ]
  * ruby-actionpack-4.0: tighten versioned dependency on ruby-rack to take
    epoch into account.

  [ Ondřej Surý ]
  * New upstream version 4.0.2+dfsg, fixes:
    + [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
    + [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
    + [CVE-2013-6415] XSS Vulnerability in number_to_currency
    + [CVE-2013-6414] Denial of Service Vulnerability in Action View
    + [CVE-2013-6416] XSS Vulnerability in simple_format helper

 -- Ondřej Surý <ondrej@debian.org>  Wed, 04 Dec 2013 10:34:24 +0100

rails-4.0 (4.0.0+dfsg-1) unstable; urgency=low

  [ Antonio Terceiro ]
  * Migrate to use dh_ruby multi-binary support

  [ Ondřej Surý ]
  * Initial release of Rails 4.0
  * Merge ruby-{active,action}*-X.Y packages into rails-4.0
  * Add Copyright headers for syntaxhighlighter
  * New upstream version 4.0.0+dfsg
  * Update the package based on ftp-master review:
    + Weaken some Conflicts to Breaks (Keeping Conflicts for virtual
      packages)
    + Generate actionpack/lib/action_dispatch/journey/parser.rb in the
      build using racc
    + Fix copyright to include correct year: (c) 2004-2013 David
      Heinemeier Hansson
    + Add MIT or CC-BY license for HTML selector by Assaf Arkin  
    + PD-Art license is inconclusive, so we just remove the wikimedia Mona
      Lisa picture and patch out the tests that were using it.
      (http://commons.wikimedia.org/wiki/Commons:Reuse_of_PD-Art_photographs)
    + Just remove whole guides.rubyonrails.org content from source tarball
      (We'll repackage it to ruby-rails-guides-4.0 as soon as we clear the
      licensing with upstream.)
    + MIT-LICENSE in templates is needed for templating new projects, add
      a lintian-override
  * Add dversionmangle to debian/watch

 -- Ondřej Surý <ondrej@debian.org>  Fri, 19 Jul 2013 15:35:13 +0200
