head 1.4; access; symbols pkgsrc-2026Q2:1.4.0.2 pkgsrc-2026Q2-base:1.4 pkgsrc-2026Q1:1.3.0.4 pkgsrc-2026Q1-base:1.3 pkgsrc-2025Q4:1.3.0.2 pkgsrc-2025Q4-base:1.3 pkgsrc-2025Q3:1.2.0.2 pkgsrc-2025Q3-base:1.2 pkgsrc-2025Q2:1.1.0.6 pkgsrc-2025Q2-base:1.1 pkgsrc-2025Q1:1.1.0.4 pkgsrc-2025Q1-base:1.1 pkgsrc-2024Q4:1.1.0.2 pkgsrc-2024Q4-base:1.1; locks; strict; comment @# @; 1.4 date 2026.03.29.14.07.39; author taca; state Exp; branches; next 1.3; commitid 7MD3YzIuBQozqSzG; 1.3 date 2025.11.03.08.43.48; author taca; state Exp; branches 1.3.4.1; next 1.2; commitid yVzlIFWVHjUdk5hG; 1.2 date 2025.08.14.15.22.47; author taca; state Exp; branches; next 1.1; commitid EsnJg8uLp28F8I6G; 1.1 date 2024.12.13.17.02.57; author taca; state Exp; branches; next ; commitid jGHtN0fFFM7pxmBF; 1.3.4.1 date 2026.03.31.13.31.41; author maya; state Exp; branches; next ; commitid iqK8mCnuD32ja8AG; desc @@ 1.4 log @www/ruby-rails72: update to 7.2.3.1 Ruby on Rails 7.2.3.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. @ text @$NetBSD: distinfo,v 1.3 2025/11/03 08:43:48 taca Exp $ BLAKE2s (actiontext-7.2.3.1.gem) = 57277abde78ee88f745cd0f5d6e7d447ec60b1dfc649f5901fc3e98c76fe6cd6 SHA512 (actiontext-7.2.3.1.gem) = 0df829d0b64bbad6d6fd6f0af32e994af9583f0f5a2b2fd741ff043a795b66620f0d41f75aa2e52d2f6e374a8da6627dfd9bbbfe17a4ec3037642d92409044b3 Size (actiontext-7.2.3.1.gem) = 137216 bytes @ 1.3 log @Update remaining rails72 packages to 7.2.3 7.2.3 (2025-10-28) * No changes except version @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2025/08/14 15:22:47 taca Exp $ d3 3 a5 3 BLAKE2s (actiontext-7.2.3.gem) = afffbb3ea8c053cb6d1c28724fceb4e9b5017adf3a42833dd2954c28d10e4b34 SHA512 (actiontext-7.2.3.gem) = 0c823f6eebaf21e717f3f6a47b5859f4b15a5764b8b38a23b857e2f86410bd79ad1faf48fe8618614510b337b0cef2267503d9ae2c0b3cdedfeef520bc9b8471 Size (actiontext-7.2.3.gem) = 137216 bytes @ 1.3.4.1 log @Pullup ticket #7061 - requested by taca databases/ruby-activerecord72: Security fix devel/ruby-activejob72: Security fix devel/ruby-activemodel72: Security fix devel/ruby-activestorage72: Security fix devel/ruby-activesupport72: Security fix devel/ruby-activesupport72: Security fix devel/ruby-railties72: Security fix devel/ruby-railties72: Security fix lang/ruby: Security fix mail/ruby-actionmailbox72: Security fix mail/ruby-actionmailer72: Security fix textproc/ruby-actiontext72: Security fix www/ruby-actioncable72: Security fix www/ruby-actionpack72: Security fix www/ruby-actionpack72: Security fix www/ruby-actionview72: Security fix www/ruby-rails72: Security fix Revisions pulled up: - databases/ruby-activerecord72/distinfo 1.4 - devel/ruby-activejob72/distinfo 1.4 - devel/ruby-activemodel72/distinfo 1.4 - devel/ruby-activestorage72/distinfo 1.4 - devel/ruby-activesupport72/Makefile 1.4 - devel/ruby-activesupport72/distinfo 1.4 - devel/ruby-railties72/Makefile 1.5 - devel/ruby-railties72/distinfo 1.4 - lang/ruby/rails.mk 1.188 - mail/ruby-actionmailbox72/distinfo 1.4 - mail/ruby-actionmailer72/distinfo 1.4 - textproc/ruby-actiontext72/distinfo 1.4 - www/ruby-actioncable72/distinfo 1.4 - www/ruby-actionpack72/Makefile 1.3 - www/ruby-actionpack72/distinfo 1.4 - www/ruby-actionview72/distinfo 1.4 - www/ruby-rails72/distinfo 1.4 --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:07:39 UTC 2026 Modified Files: pkgsrc/databases/ruby-activerecord72: distinfo pkgsrc/devel/ruby-activejob72: distinfo pkgsrc/devel/ruby-activemodel72: distinfo pkgsrc/devel/ruby-activestorage72: distinfo pkgsrc/devel/ruby-activesupport72: Makefile distinfo pkgsrc/devel/ruby-railties72: Makefile distinfo pkgsrc/mail/ruby-actionmailbox72: distinfo pkgsrc/mail/ruby-actionmailer72: distinfo pkgsrc/textproc/ruby-actiontext72: distinfo pkgsrc/www/ruby-actioncable72: distinfo pkgsrc/www/ruby-actionpack72: Makefile distinfo pkgsrc/www/ruby-actionview72: distinfo pkgsrc/www/ruby-rails72: distinfo Log Message: www/ruby-rails72: update to 7.2.3.1 Ruby on Rails 7.2.3.1 (2026-03-23) Active Support * Reject scientific notation in NumberConverter [CVE-2026-33176] Jean Boussier * Fix SafeBuffer#% to preserve unsafe status [CVE-2026-33170] Jean Boussier * Improve performance of NumberToDelimitedConverter [CVE-2026-33169] Jean Boussier Action View * Skip blank attribute names in tag helpers to avoid generating invalid HTML. [CVE-2026-33168] Mike Dalessio Active Storage * Filter user supplied metadata in DirectUploadController [CVE-2026-33173] Jean Boussier * Configurable maxmimum streaming chunk size Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service. [CVE-2026-33174] Gannon McGibbon * Limit range requests to a single range [CVE-2026-33658] Jean Boussier * Prevent path traversal in DiskService. DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory. #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError. DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes. [CVE-2026-33195] Mike Dalessio * Prevent glob injection in DiskService#delete_prefixed. Escape glob metacharacters in the resolved path before passing to Dir.glob. Note that this change breaks any existing code that is relying on delete_prefixed to expand glob metacharacters. This change presumes that is unintended behavior (as other storage services do not respect these metacharacters). [CVE-2026-33202] Mike Dalessio Active Model Active Record Action Pack Active Job Action Mailer Action Cable Action Mailbox Action Text Railties * No change except version. --- Module Name: pkgsrc Committed By: taca Date: Sun Mar 29 14:26:36 UTC 2026 Modified Files: pkgsrc/lang/ruby: rails.mk Log Message: lang/ruby: update to rails to 7.2.3.1 Make sure to update rails72 to 7.2.3.1. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (actiontext-7.2.3.1.gem) = 57277abde78ee88f745cd0f5d6e7d447ec60b1dfc649f5901fc3e98c76fe6cd6 SHA512 (actiontext-7.2.3.1.gem) = 0df829d0b64bbad6d6fd6f0af32e994af9583f0f5a2b2fd741ff043a795b66620f0d41f75aa2e52d2f6e374a8da6627dfd9bbbfe17a4ec3037642d92409044b3 Size (actiontext-7.2.3.1.gem) = 137216 bytes @ 1.2 log @www/ruby-rails72: update to 7.2.2.2 Ruby on Rails 7.2.2.2 (2025-08-13) Active Record * Call inspect on ids in RecordNotFound error [CVE-2025-55193] Gannon McGibbon, John Hawthorn Active Storage * Remove dangerous transformations [CVE-2025-24293] Zack Deveau @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2024/12/13 17:02:57 taca Exp $ d3 3 a5 3 BLAKE2s (actiontext-7.2.2.2.gem) = 9c84f5de215a71e3d865dc2122f1f902f541e428fe2ba9d62bd47aaab7ac2837 SHA512 (actiontext-7.2.2.2.gem) = 30896706a4a3df652e5519f2cc2e972bd17f0f4d4c74b7bb716bf65861c6b8a4a13bf103612b6449d399a456da8812ea428649c35258ad8d481631b79563d9e7 Size (actiontext-7.2.2.2.gem) = 137216 bytes @ 1.1 log @textproc/ruby-actiontext72: add package version 7.2.2.12 Action Text Action Text brings rich text content and editing to Rails. It includes the [Trix editor](https://trix-editor.org) that handles everything from formatting to links to quotes to lists to embedded images and galleries. The rich text content generated by the Trix editor is saved in its own RichText model that's associated with any existing Active Record model in the application. Any embedded images (or other attachments) are automatically stored using Active Storage and associated with the included RichText model. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (actiontext-7.2.2.1.gem) = 7a376326376f5c75177077931ea7f05a9c7caf1778ef57da520322d42586dbb4 SHA512 (actiontext-7.2.2.1.gem) = 2b2e64204ef87188ca940c7215f0bc7d3d52b2743f1f8c69c0acfc8f0ed50e17aed7877ef08b5676faf957a24c705202bf35d5e486644e7f4f4dfcef79d91282 Size (actiontext-7.2.2.1.gem) = 137216 bytes @