diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-05-05 13:17:18 -0300 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-05-06 11:33:10 -0300 |
| commit | 4e8f1d258854d0d6a6bff5955ef1aeb4fbb1dc00 (patch) | |
| tree | 10f425d092725127d9c6ada40c65628473521740 /actionpack/CHANGELOG.md | |
| parent | 0f3b7d1a319383f743f9938e1eed00f0fba7a367 (diff) | |
| download | rails-4e8f1d258854d0d6a6bff5955ef1aeb4fbb1dc00.tar.gz rails-4e8f1d258854d0d6a6bff5955ef1aeb4fbb1dc00.tar.bz2 rails-4e8f1d258854d0d6a6bff5955ef1aeb4fbb1dc00.zip | |
Preparing for 3.2.18 release
Diffstat (limited to 'actionpack/CHANGELOG.md')
| -rw-r--r-- | actionpack/CHANGELOG.md | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 6269123de3..1264e859b3 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,16 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* Only accept actions without File::SEPARATOR in the name. + + This will avoid directory traversal in implicit render. + + Fixes: CVE-2014-0130 + + *Rafael Mendonça França* + + +## Rails 3.2.17 (Feb 18, 2014) ## + * Use the reference for the mime type to get the format Fixes: CVE-2014-0082 @@ -6,6 +19,7 @@ Fixes: CVE-2014-0081 + ## Rails 3.2.16 (Dec 12, 2013) ## * Deep Munge the parameters for GET and POST Fixes CVE-2013-6417 |