Packages changed:
inxi (3.0.27 -> 3.0.28)
python-M2Crypto
python-asn1crypto
python-backports
python-certifi
python-configparser
python-decorator
python-docutils
python-entrypoints
rubygem-actioncable-5.2 (5.2.1 -> 5.2.1.1)
rubygem-actionmailer-5.2 (5.2.1 -> 5.2.1.1)
rubygem-actionpack-5.2 (5.2.1 -> 5.2.1.1)
rubygem-actionview-5.2 (5.2.1 -> 5.2.1.1)
rubygem-activejob-5.2 (5.2.1 -> 5.2.1.1)
rubygem-activemodel-5.2 (5.2.1 -> 5.2.1.1)
rubygem-activerecord-5.2 (5.2.1 -> 5.2.1.1)
rubygem-activestorage-5.2 (5.2.1 -> 5.2.1.1)
rubygem-activesupport-5.2 (5.2.1 -> 5.2.1.1)
rubygem-passenger (5.3.7 -> 6.0.0)
rubygem-rails-5.2 (5.2.1 -> 5.2.1.1)
rubygem-railties-5.2 (5.2.1 -> 5.2.1.1)
shim-leap
=== Details ===
==== inxi ====
Version update (3.0.27 -> 3.0.28)
- Update to version 3.0.28:
* See /usr/share/doc/packages/inxi/inxi.changelog
==== python-M2Crypto ====
Subpackages: python2-M2Crypto python3-M2Crypto
- Whoops! Here -devel dependency certainly should stay
- Remove superfluous devel dependency for noarch package
==== python-asn1crypto ====
Subpackages: python2-asn1crypto python3-asn1crypto
- Remove superfluous devel dependency for noarch package
==== python-backports ====
- Remove superfluous devel dependency for noarch package
==== python-certifi ====
Subpackages: python2-certifi python3-certifi
- Remove superfluous devel dependency for noarch package
==== python-configparser ====
- Remove superfluous devel dependency for noarch package
==== python-decorator ====
Subpackages: python2-decorator python3-decorator
- Remove superfluous devel dependency for noarch package
==== python-docutils ====
- Remove superfluous devel dependency for noarch package
==== python-entrypoints ====
- Remove superfluous devel dependency for noarch package
==== rubygem-actioncable-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
* No changes / Just a version bump to match with Rails 5.2.1.1
==== rubygem-actionmailer-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
* No changes / Just a version bump to match with Rails 5.2.1.1
==== rubygem-actionpack-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
* No changes / Just a version bump to match with Rails 5.2.1.1
==== rubygem-actionview-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
* No changes / Just a version bump to match with Rails 5.2.1.1
==== rubygem-activejob-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
- addresses a security vulnerability (CVE-2018-16476, bsc#1117632)
Carefully crafted user input can cause Active Job to deserialize
it using GlobalId and allow an attacker to have access to
information that they should not have.
Vulnerable code will look something like this:
MyJob.perform_later(user_input)
All users running an affected release should either upgrade
or use one of the workarounds immediately.
==== rubygem-activemodel-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
* No changes / Just a version bump to match with Rails 5.2.1.1
==== rubygem-activerecord-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
* No changes / Just a version bump to match with Rails 5.2.1.1
==== rubygem-activestorage-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
- addresses a security vulnerability (CVE-2018-16477, boo#1117641)
Signed download URLs generated by `ActiveStorage` for Google Cloud Storage
service and Disk service include `content-disposition` and `content-type`
parameters that an attacker can modify. This can be used to upload specially
crafted HTML files and have them served and executed inline. Combined with
other techniques such as cookie bombing and specially crafted AppCache
manifests,
an attacker can gain access to private signed URLs within a specific
storage path.
Vulnerable apps are those using either GCS or the Disk service in
production.
Other storage services such as S3 or Azure aren't affected.
All users running an affected release should either upgrade or use one of
the
workarounds immediately. For those using GCS, it's also recommended to run
the
following to update existing blobs:
```
ActiveStorage::Blob.find_each do |blob|
blob.send :update_service_metadata
end
```
==== rubygem-activesupport-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
* No changes / Just a version bump to match with Rails 5.2.1.1
==== rubygem-passenger ====
Version update (5.3.7 -> 6.0.0)
Subpackages: ruby2.5-rubygem-passenger rubygem-passenger-apache2
- updated to version 6.0.0 (boo#1117900)
* Introduces support for *all* programming languages. Yes that's
right... Java, Elixir, Go ? Passenger now supports them all!
This effort is called "generic language support".
* Bumps the preferred Nginx version to 1.15.7.
* Introduces anonymous usage telemetry, which helps us improve
Passenger. Please read the docs on what data is collected and
how to disable this.
* [Nginx] Introduces a new option "passenger_request_buffering on|off",
to allow disabling request body buffering. This is only supported
in Nginx >= 1.15.3. Closes GH-2121.
* Updated various library versions used in precompiled binaries
(used for e.g. gem installs):
- OpenSSL: 1.0.2q (was: 1.0.2p)
- libcurl: 7.62.0 (was: 7.61.1)
- Ruby: 2.3.8 (was: 2.3.7)
==== rubygem-rails-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
* No changelog in Rails itself. The actual changes can be found
in Rails submodules:
rubygem-activejob-5.2: Fixes CVE-2018-16476
rubygem-activestorage-5.2: Fixes CVE-2018-16477
It is advised to update to fix the security vulnerabilities.
==== rubygem-railties-5.2 ====
Version update (5.2.1 -> 5.2.1.1)
- updated to version 5.2.1.1 (boo#1118076)
* No changes / Just a version bump to match with Rails 5.2.1.1
==== shim-leap ====
- Update shim-install to set the grub2-install target explicitly
for some special cases. (bsc#1118363)