---
- branch: MAIN
  date: Wed Feb  3 15:44:36 UTC 2021
  files:
  - new: '1.20'
    old: '1.19'
    path: pkgsrc/www/ruby-mechanize/Makefile
    pathrev: pkgsrc/www/ruby-mechanize/Makefile@1.20
    type: modified
  - new: '1.14'
    old: '1.13'
    path: pkgsrc/www/ruby-mechanize/PLIST
    pathrev: pkgsrc/www/ruby-mechanize/PLIST@1.14
    type: modified
  - new: '1.15'
    old: '1.14'
    path: pkgsrc/www/ruby-mechanize/distinfo
    pathrev: pkgsrc/www/ruby-mechanize/distinfo@1.15
    type: modified
  id: 20210203T154436Z.b6b84a505e64c12e9606d2aad5a2cac7a9369371
  log: "www/ruby-mechanize: update to 2.7.7\n\npkgsrc change: add \"USE_LANGUAGES=\t#
    empty\"\n\n2.7.7 / 2021-02-01\n\n* Security fixes for CVE-2021-21289\n\n  Mechanize
    `>= v2.0`, `< v2.7.7` allows for OS commands to be injected\n  into several classes'
    methods via implicit use of Ruby's `Kernel.open`\n  method. Exploitation is possible
    only if untrusted input is used as a\n  local filename and passed to any of these
    calls:\n\n  - `Mechanize::CookieJar#load`: since v2.0 (see 208e3ed)\n  - `Mechanize::CookieJar#save_as`:
    since v2.0 (see 5b776a4)\n  - `Mechanize#download`: since v2.2 (see dc91667)\n
    \ - `Mechanize::Download#save` and `#save!` since v2.1 (see 98b2f51, bd62ff0)\n
    \ - `Mechanize::File#save` and `#save_as`: since v2.1 (see 2bf7519)\n  - `Mechanize::FileResponse#read_body`:
    since v2.0 (see 01039f5)\n\n  See\n  github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g\n
    \ for more information.\n\n  Also see #547, #548. Thank you, @kyoshidajp!\n\nNew
    Features\n\n* Support for Ruby 3.0 by adding `webrick` as a runtime dependency.
    (#557)\n  @pvalena\n\nBug fix\n\n* Ignore input fields with blank names (#542,
    #536)\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/ruby-mechanize'
  unixtime: '1612367076'
  user: taca