| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-Be-careful-with-that-bundler.patch | Be careful with that bundler | Antonio Terceiro <terceiro@debian.org> | no | 2016-03-03 | ||
| 0002-disable-uglify-in-activestorage-rollup-config-js.patch | rollup-plugin-uglify is not packaged, hence disabling it. | no | ||||
| use-system-yarnpkg.patch | Use system yarnpkg instead of yarn In Debian, yarn is packaged as "yarnpkg". . This patch will replace all the "bin/yarn" usages to "bin/yarnpkg". |
Jongmin Kim <jmkim@pukyong.ac.kr> | no | 2019-06-21 | ||
| use-system-webpacker.patch | Use system webpacker | Jongmin Kim <jmkim@pukyong.ac.kr> | not-needed | 2019-06-23 | ||
| CVE-2021-22942-2.patch | [PATCH] Refactor CVE-2021-22881 fix Follow-up to 83a6ac3fee8fd538ce7e0088913ff54f0f9bcb6f. This allows `HTTP_HOST` to be omitted as before, and reduces the number of object allocations per request. Benchmark: ```ruby # frozen_string_literal: true require "benchmark/memory" HOST = "example.com:80" BEFORE_REGEXP = /\A(?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])(:\d+)?\z/ AFTER_REGEXP = /(?:\A|,[ ]?)([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])(?::\d+)?\z/i Benchmark.memory do |x| x.report("BEFORE (non-nil X-Forwarded-Host)") do origin_host = BEFORE_REGEXP.match(HOST.to_s.downcase)[:host] forwarded_host = BEFORE_REGEXP.match(HOST.to_s.split(/,\s?/).last)[:host] end x.report("BEFORE (nil X-Forwarded-Host)") do origin_host = BEFORE_REGEXP.match(HOST.to_s.downcase)[:host] forwarded_host = BEFORE_REGEXP.match(nil.to_s.split(/,\s?/).last) end x.report("AFTER (non-nil X-Forwarded-Host)") do origin_host = HOST&.slice(AFTER_REGEXP, 1) || "" forwarded_host = HOST&.slice(AFTER_REGEXP, 1) || "" end x.report("AFTER (nil X-Forwarded-Host)") do origin_host = HOST&.slice(AFTER_REGEXP, 1) || "" forwarded_host = nil&.slice(AFTER_REGEXP, 1) || "" end end ``` Results: ``` BEFORE (non-nil X-Forwarded-Host) 616.000 memsize ( 208.000 retained) 9.000 objects ( 2.000 retained) 2.000 strings ( 1.000 retained) BEFORE (nil X-Forwarded-Host) 328.000 memsize ( 0.000 retained) 5.000 objects ( 0.000 retained) 2.000 strings ( 0.000 retained) AFTER (non-nil X-Forwarded-Host) 248.000 memsize ( 168.000 retained) 3.000 objects ( 1.000 retained) 1.000 strings ( 0.000 retained) AFTER (nil X-Forwarded-Host) 40.000 memsize ( 0.000 retained) 1.000 objects ( 0.000 retained) 1.000 strings ( 0.000 retained) ``` [CVE-2021-22942] |
Jonathan Hefner <jonathan@hefner.pro> | no | 2021-02-12 | ||
| relax-dependencies.patch | Relax dependencies This patch will relax the dependencies version, remove useless dependencies, or replace the gems to which is already in Debian. . Relax dependencies version: * selenium-webdriver . Remove/replace dependencies: * minitest-bisect + Not packaged in Debian + Not used (minitest is used) * minitest-retry + Not packaged in Debian + Used only when running on Buildkite CI * webdrivers + Not packaged in Debian + Could be replaced by chromedriver-helper (ruby-chromedriver-helper) |
Jongmin Kim <jmkim@pukyong.ac.kr> | not-needed | 2019-06-03 | ||
| relax-dependency-sqlite3.patch | Relax dependency version - ruby-sqlite3 From Rails 6, it started using `execute_batch2` function [1] which was introduced in gem sqlite3 1.4.0. This new function was confirmed at [1] that extremely faster than old `execute_batch` function. However, gem sqlite3 1.4.0 was not packaged in Debian yet (ruby-sqlite3 is 1.3.13-1+b2 in Debian), so this function could not be used. . This patch will rollback the `execute_batch2` usages to `execute_batch`. This patch should be removed after the ruby-sqlite3 upgraded to 1.4.0. . [1] https://github.com/rails/rails/commit/0908184e4c2dca5b941030bbd0d5eb2dfcfed120 |
Jongmin Kim <jmkim@pukyong.ac.kr> | not-needed | 2019-06-12 | ||
| remove-ignored-dependencies.patch | Remove ignored dependencies | Jongmin Kim <jmkim@pukyong.ac.kr> | not-needed | 2019-06-21 | ||
| skip-test-internet-access.patch | Skip the tests which need Internet access .. due to Debian policy 4.9. | Jongmin Kim <jmkim@pukyong.ac.kr> | not-needed | 2019-07-17 | ||
| skip-test-unpackaged-dependencies.patch | Skip the test due to unpackaged dependencies * websocket-client-simple + actioncable/client_test.rb * sneakers + actionjob/Rakefile + actionjob/test/cases/exceptions_test.rb * que + actionjob/Rakefile * queue_classic + actionjob/Rakefile * resque + actionjob/Rakefile * sucker_punch + actionjob/Rakefile * backburner + actionjob/Rakefile * minitest-retry + railties/test/isolation/abstract_unit.rb |
Jongmin Kim <jmkim@pukyong.ac.kr> | not-needed | 2019-06-21 | ||
| skip-test-railties-postgresql.patch | Skip the railties test which needs postgresql instance | Jongmin Kim <jmkim@pukyong.ac.kr> | not-needed | 2019-06-24 | ||
| ignore-test-stuck.patch | Ignore test which goes stuck Ignore the test case which makes test stuck. | Jongmin Kim <jmkim@pukyong.ac.kr> | not-needed | 2019-06-21 | ||
| adapt-to-babel7.patch | Adapt to babel7 | no | ||||
| replace-webdrivers.patch | Replace webdrivers webdrivers can only go to contrib section | no | ||||
| relax-marcel.patch | Relax marcel for bullseye. | Utkarsh Gupta <utkarsh@debian.org> | not-needed | vendor | 2021-07-08 | |
| CVE-2021-22942-1.patch | [PATCH] Remove unnessary escape char in Regexp Fix the test by defining a valid host on the mocked requests. |
=?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= | no | 2021-02-10 | ||
| CVE-2022-27777-2.patch | [PATCH] Merge pull request #45027 from rails/fix-tag-helper-regression Fix tag helper regression |
"Eileen M. Uchitelle" <eileencodes@users.noreply.github.com> | no | 2022-05-05 | ||
| CVE-2023-22792.patch | [PATCH] Use string#split instead of regex for domain parts [CVE-2023-22792] |
sabulikia <sabakiaei@gmail.com> | no | 2022-07-07 | ||
| CVE-2023-22794-1.patch | [PATCH] Should `Regexp.escape` quoted table name in regex It is for agnostic test case, since quoted table name may include `.` for all adapters, and `[` / `]` for sqlserver adapter. |
Ryuta Kamizono <kamipo@gmail.com> | no | 2019-07-08 | ||
| CVE-2021-44528.patch | [PATCH] Fix invalid forwarded host vulnerability Prior to this commit, it was possible to pass an unvalidated host through the `X-Forwarded-Host` header. If the value of the header was prefixed with a invalid domain character (for example a `/`), it was always accepted as the actual host of that request. Since this host is used for all url helpers, an attacker could change generated links and redirects. If the header is set to `X-Forwarded-Host: //evil.hacker`, a redirect will be send to `https:////evil.hacker/`. Browsers will ignore these four slashes and redirect the user. [CVE-2021-44528] |
Stef Schenkelaars <stef.schenkelaars@gmail.com> | no | 2021-07-07 | ||
| CVE-2021-22942-3.patch | [PATCH] Merge pull request #43868 from rails/fix-default-hosts Allow localhost with a port by default in development |
Aaron Patterson <aaron@rubyonrails.org> | no | 2021-12-14 | ||
| CVE-2021-22942-4.patch | [PATCH] Merge pull request #43871 from rails/rm-fix-hosts-with-port Allow any allowed host with port |
Aaron Patterson <aaron@rubyonrails.org> | no | 2021-12-15 | ||
| CVE-2021-22942-5.patch | [PATCH] Merge pull request #43882 from rails/rm-allow-ip-with-port Allow IPs with port in the HostAuthorization middleware |
=?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= | no | 2021-12-15 | ||
| CVE-2022-21831.patch | [PATCH] Added image transformation validation via configurable allow-list. ImageProcessingTransformer now offers a configurable allow-list for transformation methods in addition to a configurable deny-list for arguments. [CVE-2022-21831] |
Zack <zack.ref@gmail.com> | no | 2022-02-15 | ||
| CVE-2022-22577.patch | [PATCH] Merge pull request #44635 from imtayadeway/tjw/api-csp-i Generate content security policy for non-HTML responses |
Aaron Patterson <aaron@rubyonrails.org> | no | 2022-03-08 | ||
| CVE-2022-23633-1.patch | [PATCH] ActionDispatch::Executor don't fully trust `body#close` Under certain circumstances, the middleware isn't informed that the response body has been fully closed which result in request state not being fully reset before the next request. [CVE-2022-23633] |
Jean Boussier <jean.boussier@gmail.com> | no | 2022-02-11 | ||
| CVE-2022-23633-2.patch | [PATCH] Fix reloader to work with new Executor signature This is a follow up to [CVE-2022-23633]. |
Aaron Patterson <aaron@rubyonrails.org> | no | 2022-02-11 | ||
| CVE-2022-27777-1.patch | [PATCH] Fix and add protections for XSS in names. Add the method ERB::Util.xml_name_escape to escape dangerous characters in names of tags and names of attributes, following the specification of XML. Use that method in the tag helpers of ActionView::Helpers. Add a deprecation warning to the option :escape_attributes mentioning the new behavior and the transition to :escape, to simplify by applying the option to the whole tag. [CVE-2022-27777] |
Alvaro Martin Fraguas <alvaro.martin@nccgroup.com> | no | 2022-04-12 | ||
| CVE-2023-22794-2.patch | [PATCH] Make sanitize_as_sql_comment more strict Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input. This commit makes the sanitization more robust by replacing any occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal. This also clarifies in the documentation of annotate that it should not be provided user input. [CVE-2023-22794] |
John Hawthorn <john@hawthorn.email> | no | 2022-09-06 | ||
| CVE-2023-22795.patch | [PATCH] Avoid regex backtracking on If-None-Match header [CVE-2023-22795] |
John Hawthorn <john@hawthorn.email> | no | 2023-01-13 | ||
| CVE-2023-22796.patch | [PATCH] Avoid regex backtracking in Inflector.underscore [CVE-2023-22796] |
John Hawthorn <john@hawthorn.email> | no | 2023-01-11 | ||
| CVE-2023-23913.patch | [PATCH] Ignore certain data-* attributes in rails-ujs when element is contenteditable There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-disable-with or data-remote attribute. [CVE-2023-23913] |
Zack Deveau <zack.ref@gmail.com> | no | 2023-01-16 | ||
| CVE-2023-28120.patch | [PATCH] Implement SafeBuffer#bytesplice | Akira Matsuda <ronnie@dio.jp> | no | 2023-01-05 |