Change logs for rails source package in Stretch

rails (2:4.2.7.1-1+deb9u2) stretch; urgency=high

  * Team upload.
  * Add patch to fix possible XSS vector in JS escape helper.
    (Fixes: CVE-2020-5267) (Closes: #954304)

 -- Utkarsh Gupta <email address hidden>  Sun, 22 Mar 2020 18:05:32 +0530

rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium

  * CVE-2018-16476 (Closes: #914847)
  * CVE-2019-5418 / CVE-2019-5419 (Closes: #924520)

 -- Moritz Mühlenhoff <email address hidden>  Thu, 18 Apr 2019 20:48:13 +0200

rails (2:4.2.7.1-1) unstable; urgency=medium

  * New upstream release; includes fixes for the following issues:
    - CVE-2016-6317: unsafe query generation in Active Record (Closes: #834154)
    - CVE-2016-6316: Possible XSS Vulnerability in Action View (Closes: #834155)
  * debian/watch: restrict to the 4.x series for now

 -- Antonio Terceiro <email address hidden>  Mon, 22 Aug 2016 14:33:48 -0300

rails (2:4.2.6-2) unstable; urgency=medium

  * Team upload
  * ruby-rails: Add ruby-coffee-rails to recommends (Closes: #818470)
  * Relax ruby-json (drop << 2.0 requirement)

 -- Pirate Praveen <email address hidden>  Fri, 22 Jul 2016 23:37:44 +0530

rails (2:4.2.6-1) unstable; urgency=medium

  [ Antonio Terceiro ]
  * New upstream release
  * debian/clean: list files that are created when the tests run
  * Drop 0003-Make-AR-SpawnMethods-merge-to-check-an-arg-is-a-Proc.patch,
    applied upstream

  [ Praveen Arimbrathodiyil ]
  * Set minimum version of ruby-sprockets-rails (for sprockets version
    incompatibility with ruby-sass-rails)

 -- Antonio Terceiro <email address hidden>  Sat, 09 Apr 2016 19:39:46 -0300

rails (2:4.2.5.2-2) unstable; urgency=medium

  [ Cédric Boutillier ]
  * Remove version in the gem2deb build-dependency
  * Use https:// in Vcs-* fields
  * Bump Standards-Version to 3.9.7 (no changes needed)
  * Run wrap-and-sort on packaging files

  [ Antonio Terceiro ]
  * 0002-load_paths.rb-don-t-load-bundler.patch: don't load bundler when
    running tests
  * Run tests during build
    - add all runtime dependencies as build dependencies as well
  * Run unit tests also under autopkgtest
  * Add 0003-Make-AR-SpawnMethods-merge-to-check-an-arg-is-a-Proc.patch to fix
    ActiveRecord relations with Ruby 2.3
  * 0004-ActiveRecord-skip-a-few-tests-that-are-broken-on-Deb.patch skip some
    tests that are broken on Debian.

 -- Antonio Terceiro <email address hidden>  Fri, 04 Mar 2016 14:49:00 -0300

rails (2:4.2.5.1-2) unstable; urgency=medium

  * ruby-rails: change dependency from bundler to ruby-bundler, which will
    not pull a development toolchain in Recommends:.
  * Switch Vcs-* to https URLs

 -- Antonio Terceiro <email address hidden>  Sun, 21 Feb 2016 13:58:35 -0300

rails (2:4.2.5.1-1) unstable; urgency=high

  * New upstream release. Includes fixes for the following several security
    issues:
    - [CVE-2015-7576] Timing attack vulnerability in basic authentication in
                      Action Controller.
    - [CVE-2016-0751] Possible Object Leak and Denial of Service attack in
                      Action Pack
    - [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.
    - [CVE-2016-0752] Possible Information Leak Vulnerability in Action View
    - [CVE-2016-0753] Possible Input Validation Circumvention in Active Model
    - [CVE-2015-7581] Object leak vulnerability for wildcard controller routes
                      in Action Pack

 -- Antonio Terceiro <email address hidden>  Thu, 28 Jan 2016 10:56:35 -0200

rails (2:4.2.5-1) unstable; urgency=medium

  * New upstream release
  * Skip dependency resolution check during the build, because too many of the
    dependencies of the binary packages depend on rails to build, so let's
    avoid loops. The checks are still performed as part of autopkgtest tests,
    anyway.

 -- Antonio Terceiro <email address hidden>  Mon, 14 Dec 2015 11:04:15 -0200

rails (2:4.1.10-1) unstable; urgency=medium

  * New upstream release; bug fixes only
  * debian/copyright: fix mention to the license of
    guides/assets/javascripts/jquery.min.js
  * Drop transitional package ruby-activesupport-2.3; it was only needed for
    upgrades from wheezy.
  * Drop Breaks:/Replaces: relationships against packages provided by old
    versioned source packages (e.g. *-2.3, *-3.2, *-4.0).

 -- Antonio Terceiro <email address hidden>  Sun, 24 May 2015 18:11:04 -0300

rails (2:4.1.8-1) unstable; urgency=medium


  * New upstream release
    - Includes only bug fixes and no behavior changes. In special, includes
      fix for [CVE-2014-7818] and [CVE-2014-7829] (Arbitrary file existence
      disclosure in Action Pack) (Closes: #770934)
  * Add new transitional binary package ruby-activesupport-2.3 plus
    appropriate Breaks:/Replaces: fieds in all binary packages to ensure
    upgrades from wheezy work (Closes: #768850)
    - Many thanks to Andreas Beckmann for helping debug the upgrade issue.

 -- Antonio Terceiro <email address hidden>  Tue, 25 Nov 2014 16:51:50 -0200