Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-activerecord-8.0 for
openSUSE:Factory checked in at 2025-08-21 17:00:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-activerecord-8.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-activerecord-8.0.new.29662 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activerecord-8.0"
Thu Aug 21 17:00:23 2025 rev:4 rq:1300756 version:8.0.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-activerecord-8.0/rubygem-activerecord-8.0.changes
2025-01-21 21:10:27.370931262 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-activerecord-8.0.new.29662/rubygem-activerecord-8.0.changes
2025-08-21 17:00:34.765106206 +0200
@@ -1,0 +2,6 @@
+Tue Aug 19 12:04:21 UTC 2025 - Aleksei Burlakov <aburla...@suse.com>
+
+- Add CVE-2025-55193.patch (bsc#1248106)
+ IDs passed to `find` or similar methods may be logged without escaping
+
+-------------------------------------------------------------------
New:
----
CVE-2025-55193.patch
----------(New B)----------
New:
- Add CVE-2025-55193.patch (bsc#1248106)
IDs passed to `find` or similar methods may be logged without escaping
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-activerecord-8.0.spec ++++++
--- /var/tmp/diff_new_pack.gsU5DT/_old 2025-08-21 17:00:35.969156626 +0200
+++ /var/tmp/diff_new_pack.gsU5DT/_new 2025-08-21 17:00:35.969156626 +0200
@@ -36,6 +36,7 @@
URL: https://rubyonrails.org
Source: https://rubygems.org/gems/%{mod_full_name}.gem
Source1: gem2rpm.yml
+Patch0: CVE-2025-55193.patch
Summary: Object-relational mapper framework (part of Rails)
License: MIT
@@ -45,6 +46,10 @@
aggregations, migrations, and testing come baked-in.
%prep
+%gem_unpack
+%patch -P 0 -p1
+find -type f -print0 | xargs -0 touch -r %{S:0}
+%gem_build
%build
++++++ CVE-2025-55193.patch ++++++
Index: activerecord-8.0.1/lib/active_record/core.rb
===================================================================
--- activerecord-8.0.1.orig/lib/active_record/core.rb
+++ activerecord-8.0.1/lib/active_record/core.rb
@@ -266,7 +266,7 @@ module ActiveRecord
return super if StatementCache.unsupported_value?(id)
cached_find_by([primary_key], [id]) ||
- raise(RecordNotFound.new("Couldn't find #{name} with
'#{primary_key}'=#{id}", name, primary_key, id))
+ raise(RecordNotFound.new("Couldn't find #{name} with
'#{primary_key}'=#{id.inspect}", name, primary_key, id))
end
def find_by(*args) # :nodoc:
Index: activerecord-8.0.1/lib/active_record/relation/finder_methods.rb
===================================================================
--- activerecord-8.0.1.orig/lib/active_record/relation/finder_methods.rb
+++ activerecord-8.0.1/lib/active_record/relation/finder_methods.rb
@@ -424,12 +424,13 @@ module ActiveRecord
error << " with#{conditions}" if conditions
raise RecordNotFound.new(error, name, key)
elsif Array.wrap(ids).size == 1
- error = "Couldn't find #{name} with '#{key}'=#{ids}#{conditions}"
+ id = Array.wrap(ids)[0]
+ error = "Couldn't find #{name} with
'#{key}'=#{id.inspect}#{conditions}"
raise RecordNotFound.new(error, name, key, ids)
else
error = +"Couldn't find all #{name.pluralize} with '#{key}': "
- error << "(#{ids.join(", ")})#{conditions} (found #{result_size}
results, but was looking for #{expected_size})."
- error << " Couldn't find #{name.pluralize(not_found_ids.size)} with
#{key.to_s.pluralize(not_found_ids.size)} #{not_found_ids.join(', ')}." if
not_found_ids
+ error << "(#{ids.map(&:inspect).join(", ")})#{conditions} (found
#{result_size} results, but was looking for #{expected_size})."
+ error << " Couldn't find #{name.pluralize(not_found_ids.size)} with
#{key.to_s.pluralize(not_found_ids.size)}
#{not_found_ids.map(&:inspect).join(', ')}." if not_found_ids
raise RecordNotFound.new(error, name, key, ids)
end
end
