diff options
| author | Louise Crow <louise.crow@gmail.com> | 2013-01-15 14:27:30 +0000 |
|---|---|---|
| committer | Louise Crow <louise.crow@gmail.com> | 2013-01-15 14:27:30 +0000 |
| commit | 8e6cbf8713ffdeaa6936338d023d61c53f5736c4 (patch) | |
| tree | be918b76d998ac93d3d295e705b0d17fc9181bfd | |
| parent | 78343be149c8251996fd29fc55f9156f747b1c5c (diff) | |
Add note on Rails security upgrades to change file.
| -rw-r--r-- | doc/CHANGES.md | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/doc/CHANGES.md b/doc/CHANGES.md index 0c293db78..2c8692bb5 100644 --- a/doc/CHANGES.md +++ b/doc/CHANGES.md @@ -2,6 +2,7 @@ ## Highlighted features * [Security] Fix for security issue where image files from HTML conversion on hidden/requester-only requests were accessible without authentication [issue #739](https://github.com/mysociety/alaveteli/issues/739). * [Security] Fix for issue where the zip file download function was available for logged-in users even on hidden/requester-only requests [issue #743](https://github.com/mysociety/alaveteli/issues/743) +* [Security] Upgrades to Rails 2.3.15 to get fixes for Rails security flaws CVE-2012-5664 and CVE-2013-0156. In addition, switches to use Rails pulled from a clone in the mySociety github account, which has had the CVE-2013-0155 2.3 series patch applied to it. * Isolation of mail handling code in the MailHandler module in lib/mail_handler * Tests run under Ruby 1.9.3 - *running the app under 1.9 not yet advised*. * Routes without a locale part can be enabled for the default locale - see upgrade notes |