fix for cve-2011-2197

1 files changed, 12 insertions, 1 deletions

diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 393c402..befe029 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -9,7 +9,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 3.0.5
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -38,6 +38,13 @@ Patch2: actionpack-tests-fix.patch
 
 Patch3: actionpack-downgrade-dependencies.patch
 
+# CVE-2011-2197
+# http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
+# FIXES: https://gist.github.com/b2ceb626fc2bcdfe497f
+#        https://github.com/rails/rails/commit/c6503f48bd13c696fcc81f2a4a87b8cd7c009657
+#        https://github.com/rails/rails/commit/2e757bc298cef715e5c56945161bbd84f2610729
+Patch4: cve-2011-2197-actionpack-fix.patch
+
 Requires: rubygems
 Requires: rubygem(activesupport) = %{version}
 Requires: rubygem(activemodel) = %{version}
@@ -95,6 +102,7 @@ pushd .%{geminstdir}
 %patch0 -p0
 %patch1 -p0
 %patch2 -p0
+%patch4 -p0
 
 # create missing symlink
 pushd test/fixtures/layout_tests/layouts/
@@ -165,6 +173,9 @@ rake test --trace
 
 
 %changelog
+* Thu Jun 16 2011 Mo Morsi <mmorsi@redhat.com> - 1:3.0.5-3
+- Include fix for CVE-2011-2197
+
 * Fri Jun 03 2011 Vít Ondruch <vondruch@redhat.com> - 1:3.0.5-2
 - Removed regin and multimap dependencies. They were added into rack-mount
   where they actually belongs.