[DRE-commits] [SCM] ruby-actionpack-3.2.git branch, master, updated. debian/3.2.6-2-1-g6035afc

Antonio Terceiro terceiro at debian.org
Sat Aug 4 12:31:45 UTC 2012 

The following commit has been merged in the master branch:
commit 6035afc9728e6b0636ade4392ea06038b10c41bd
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Sat Aug 4 09:30:18 2012 -0300

    Prepare upload to unstable

diff --git a/debian/changelog b/debian/changelog
index ee82412..c89736f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ruby-actionpack-3.2 (3.2.6-3) unstable; urgency=high
+
+  * Add patch by Aaron Patterson for CVE-2012-3424 (Closes: #683370)
+
+ -- Antonio Terceiro <terceiro at debian.org>  Sat, 04 Aug 2012 09:28:12 -0300
+
 ruby-actionpack-3.2 (3.2.6-2) unstable; urgency=low
 
   * Bump build dependency to gem2deb >= 0.3.0~
diff --git a/debian/patches/CVE-2012-3424.patch b/debian/patches/CVE-2012-3424.patch
new file mode 100644
index 0000000..8fdf1f2
--- /dev/null
+++ b/debian/patches/CVE-2012-3424.patch
@@ -0,0 +1,22 @@
+Description: Do not convert digest auth strings to symbols.
+Author: Aaron Patterson <aaron.patterson at gmail.com>
+
+---
+
+Origin: upstream, https://github.com/rails/rails/commit/27311fef5efa598f281649074255834546d2b4ec
+Forwarded: not-needed
+
+--- ruby-actionpack-3.2-3.2.6.orig/lib/action_controller/metal/http_authentication.rb
++++ ruby-actionpack-3.2-3.2.6/lib/action_controller/metal/http_authentication.rb
+@@ -227,9 +227,9 @@ module ActionController
+       end
+ 
+       def decode_credentials(header)
+-        Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
++        HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
+           key, value = pair.split('=', 2)
+-          [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')]
++          [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
+         end]
+       end
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..d5adff9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2012-3424.patch

-- 
ruby-actionpack-3.2.git

More information about the Pkg-ruby-extras-commits mailing list