pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/www/ruby-actionpack Security fix for:
details: https://anonhg.NetBSD.org/pkgsrc/rev/b1f67ef07a15
branches: trunk
changeset: 561766:b1f67ef07a15
user: minskim <minskim%pkgsrc.org@localhost>
date: Thu Jul 16 11:00:25 2009 +0000
description:
Security fix for:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422
>From rails git commit 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489.
diffstat:
www/ruby-actionpack/Makefile | 7 ++++++-
www/ruby-actionpack/distinfo | 3 ++-
www/ruby-actionpack/patches/patch-aa | 24 ++++++++++++++++++++++++
3 files changed, 32 insertions(+), 2 deletions(-)
diffs (62 lines):
diff -r 6a41fb923ae8 -r b1f67ef07a15 www/ruby-actionpack/Makefile
--- a/www/ruby-actionpack/Makefile Thu Jul 16 10:51:17 2009 +0000
+++ b/www/ruby-actionpack/Makefile Thu Jul 16 11:00:25 2009 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.15 2009/04/07 17:13:27 minskim Exp $
+# $NetBSD: Makefile,v 1.16 2009/07/16 11:00:25 minskim Exp $
DISTNAME= actionpack-2.3.2
PKGNAME= ${RUBY_PKGPREFIX}-${DISTNAME}
+PKGREVISION= 1
CATEGORIES= www
MAINTAINER= minskim%NetBSD.org@localhost
@@ -11,4 +12,8 @@
DEPENDS+= ${RUBY_PKGPREFIX}-activesupport>=2.3.2:../../devel/ruby-activesupport
.include "../../misc/rubygems/rubygem.mk"
+
+pre-configure:
+ ${RM} ${WRKSRC}/lib/action_controller/http_authentication.rb.orig
+
.include "../../mk/bsd.pkg.mk"
diff -r 6a41fb923ae8 -r b1f67ef07a15 www/ruby-actionpack/distinfo
--- a/www/ruby-actionpack/distinfo Thu Jul 16 10:51:17 2009 +0000
+++ b/www/ruby-actionpack/distinfo Thu Jul 16 11:00:25 2009 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.16 2009/04/07 17:13:27 minskim Exp $
+$NetBSD: distinfo,v 1.17 2009/07/16 11:00:25 minskim Exp $
SHA1 (actionpack-2.3.2.gem) = 31e9815ed5d901b6b7f618bb7140f16d1a79ebfc
RMD160 (actionpack-2.3.2.gem) = 800602f5c03b08ca8ca292cc7f82ef009c0e2160
Size (actionpack-2.3.2.gem) = 767488 bytes
+SHA1 (patch-aa) = 85d3a5a5766a6ac220e230436f53f6cd4078a259
SHA1 (patch-ab) = bfba841b0af9d503a71745cc8d992e9d09d94191
diff -r 6a41fb923ae8 -r b1f67ef07a15 www/ruby-actionpack/patches/patch-aa
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/ruby-actionpack/patches/patch-aa Thu Jul 16 11:00:25 2009 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-aa,v 1.3 2009/07/16 11:00:25 minskim Exp $
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422
+rails git commit 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489
+
+--- lib/action_controller/http_authentication.rb.orig 2009-07-16 03:45:19.000000000 -0700
++++ lib/action_controller/http_authentication.rb
+@@ -183,7 +183,7 @@ module ActionController
+ request.env['REDIRECT_X_HTTP_AUTHORIZATION']
+ end
+
+- # Raises error unless the request credentials response value matches the expected value.
++ # Returns false unless the request credentials response value matches the expected value.
+ # First try the password as a ha1 digest password. If this fails, then try it as a plain
+ # text password.
+ def validate_digest_response(request, realm, &password_procedure)
+@@ -192,6 +192,7 @@ module ActionController
+
+ if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
+ password = password_procedure.call(credentials[:username])
++ return false unless password
+
+ [true, false].any? do |password_is_ha1|
+ expected = expected_response(request.env['REQUEST_METHOD'], request.env['REQUEST_URI'], credentials, password, password_is_ha1)
Home |
Main Index |
Thread Index |
Old Index