Control: tags -1 + patch pending Dear maintainer,
I've prepared an NMU for ruby-activeresource-2.3 (versioned as 2.3.14-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards. -- Sebastian Ramacher
diff -Nru ruby-activeresource-2.3-2.3.14/debian/changelog ruby-activeresource-2.3-2.3.14/debian/changelog --- ruby-activeresource-2.3-2.3.14/debian/changelog 2012-06-29 20:17:48.000000000 +0200 +++ ruby-activeresource-2.3-2.3.14/debian/changelog 2013-02-10 22:46:41.000000000 +0100 @@ -1,3 +1,13 @@ +ruby-activeresource-2.3 (2.3.14-2.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/patches/0003-remove-test-for-XML-YAML-parsing.patch: Backport patch + from upstream to disable test for XML YAML parsing. XML YAML parsing has + been removed in ruby-activesupport-2.3/2.3.14-5 to fix CVE-2013-0156. + (Closes: #699255) + + -- Sebastian Ramacher <sramac...@debian.org> Sun, 10 Feb 2013 22:46:39 +0100 + ruby-activeresource-2.3 (2.3.14-2) unstable; urgency=low * Team upload. diff -Nru ruby-activeresource-2.3-2.3.14/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch ruby-activeresource-2.3-2.3.14/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch --- ruby-activeresource-2.3-2.3.14/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-activeresource-2.3-2.3.14/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch 2013-02-10 22:44:32.000000000 +0100 @@ -0,0 +1,48 @@ +Description: Remove test for XML YAML parsing + The support for YAML parsing in XML has been removed from Active Support + since it introduced an security risk (CVE-2013-0156). +Origin: backport, https://github.com/rails/activeresource/commit/a0589575 +Last-Update: 2013-02-10 + +--- a/test/base_test.rb ++++ b/test/base_test.rb +@@ -49,25 +49,11 @@ + :children => [{:name => 'Natacha'}]}, + {:name => 'Milena', + :children => []}]}]}.to_xml(:root => 'customer') +- # - resource with yaml array of strings; for ActiveRecords using serialize :bar, Array +- @marty = <<-eof.strip +- <?xml version=\"1.0\" encoding=\"UTF-8\"?> +- <person> +- <id type=\"integer\">5</id> +- <name>Marty</name> +- <colors type=\"yaml\">--- +- - \"red\" +- - \"green\" +- - \"blue\" +- </colors> +- </person> +- eof + + ActiveResource::HttpMock.respond_to do |mock| + mock.get "/people/1.xml", {}, @matz + mock.get "/people/2.xml", {}, @david + mock.get "/people/6.json", {}, @joe +- mock.get "/people/5.xml", {}, @marty + mock.get "/people/Greg.xml", {}, @greg + mock.get "/people/4.xml", {'key' => 'value'}, nil, 404 + mock.put "/people/1.xml", {}, nil, 204 +@@ -1075,13 +1061,4 @@ + end + end + +- def test_load_yaml_array +- assert_nothing_raised do +- marty = Person.find(5) +- assert_equal 3, marty.colors.size +- marty.colors.each do |color| +- assert_kind_of String, color +- end +- end +- end + end diff -Nru ruby-activeresource-2.3-2.3.14/debian/patches/series ruby-activeresource-2.3-2.3.14/debian/patches/series --- ruby-activeresource-2.3-2.3.14/debian/patches/series 2012-02-02 23:56:24.000000000 +0100 +++ ruby-activeresource-2.3-2.3.14/debian/patches/series 2013-02-10 22:29:36.000000000 +0100 @@ -1,2 +1,3 @@ 0001-comment_out_failing_upstream_tests.patch 0002-require_abstract_unit_needs_test_directory.patch +0003-remove-test-for-XML-YAML-parsing.patch
signature.asc
Description: Digital signature
