Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-activerecord-7.0 for
openSUSE:Factory checked in at 2022-08-06 22:07:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-activerecord-7.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-activerecord-7.0.new.1521 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activerecord-7.0"
Sat Aug 6 22:07:45 2022 rev:5 rq:993457 version:7.0.3.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-activerecord-7.0/rubygem-activerecord-7.0.changes
2022-05-16 18:10:57.593394713 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-activerecord-7.0.new.1521/rubygem-activerecord-7.0.changes
2022-08-06 22:07:51.802605146 +0200
@@ -1,0 +2,35 @@
+Thu Aug 4 12:52:32 UTC 2022 - Stephan Kulow <[email protected]>
+
+updated to version 7.0.3.1
+ see installed CHANGELOG.md
+
+ ## Rails 7.0.3.1 (July 12, 2022) ##
+
+ * Change ActiveRecord::Coders::YAMLColumn default to safe_load
+
+ This adds two new configuration options The configuration options are as
+ follows:
+
+ * `config.active_storage.use_yaml_unsafe_load`
+
+ When set to true, this configuration option tells Rails to use the old
+ "unsafe" YAML loading strategy, maintaining the existing behavior but
leaving
+ the possible escalation vulnerability in place. Setting this option to
true
+ is *not* recommended, but can aid in upgrading.
+
+ * `config.active_record.yaml_column_permitted_classes`
+
+ The "safe YAML" loading method does not allow all classes to be
deserialized
+ by default. This option allows you to specify classes deemed "safe" in
your
+ application. For example, if your application uses Symbol and Time in
+ serialized data, you can add Symbol and Time to the allowed list as
follows:
+
+ ```
+ config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
+ ```
+
+ [CVE-2022-32224]
+
+
+
+-------------------------------------------------------------------
Old:
----
activerecord-7.0.3.gem
New:
----
activerecord-7.0.3.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-activerecord-7.0.spec ++++++
--- /var/tmp/diff_new_pack.4g90Po/_old 2022-08-06 22:07:53.234609309 +0200
+++ /var/tmp/diff_new_pack.4g90Po/_new 2022-08-06 22:07:53.238609321 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-activerecord-7.0
-Version: 7.0.3
+Version: 7.0.3.1
Release: 0
%define mod_name activerecord
%define mod_full_name %{mod_name}-%{version}
++++++ activerecord-7.0.3.gem -> activerecord-7.0.3.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2022-05-09 15:40:02.000000000 +0200
+++ new/CHANGELOG.md 2022-07-12 19:30:22.000000000 +0200
@@ -1,3 +1,31 @@
+## Rails 7.0.3.1 (July 12, 2022) ##
+
+* Change ActiveRecord::Coders::YAMLColumn default to safe_load
+
+ This adds two new configuration options The configuration options are as
+ follows:
+
+ * `config.active_storage.use_yaml_unsafe_load`
+
+ When set to true, this configuration option tells Rails to use the old
+ "unsafe" YAML loading strategy, maintaining the existing behavior but
leaving
+ the possible escalation vulnerability in place. Setting this option to
true
+ is *not* recommended, but can aid in upgrading.
+
+ * `config.active_record.yaml_column_permitted_classes`
+
+ The "safe YAML" loading method does not allow all classes to be
deserialized
+ by default. This option allows you to specify classes deemed "safe" in
your
+ application. For example, if your application uses Symbol and Time in
+ serialized data, you can add Symbol and Time to the allowed list as
follows:
+
+ ```
+ config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
+ ```
+
+ [CVE-2022-32224]
+
+
## Rails 7.0.3 (May 09, 2022) ##
* Some internal housekeeping on reloads could break custom `respond_to?`
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_record/coders/yaml_column.rb
new/lib/active_record/coders/yaml_column.rb
--- old/lib/active_record/coders/yaml_column.rb 2022-05-09 15:40:02.000000000
+0200
+++ new/lib/active_record/coders/yaml_column.rb 2022-07-12 19:30:22.000000000
+0200
@@ -45,13 +45,15 @@
raise ArgumentError, "Cannot serialize #{object_class}. Classes
passed to `serialize` must have a 0 argument constructor."
end
- if YAML.respond_to?(:unsafe_load)
- def yaml_load(payload)
- YAML.unsafe_load(payload)
- end
- else
- def yaml_load(payload)
- YAML.load(payload)
+ def yaml_load(payload)
+ if !ActiveRecord.use_yaml_unsafe_load
+ YAML.safe_load(payload, permitted_classes:
ActiveRecord.yaml_column_permitted_classes, aliases: true)
+ else
+ if YAML.respond_to?(:unsafe_load)
+ YAML.unsafe_load(payload)
+ else
+ YAML.load(payload)
+ end
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_record/gem_version.rb
new/lib/active_record/gem_version.rb
--- old/lib/active_record/gem_version.rb 2022-05-09 15:40:02.000000000
+0200
+++ new/lib/active_record/gem_version.rb 2022-07-12 19:30:22.000000000
+0200
@@ -10,7 +10,7 @@
MAJOR = 7
MINOR = 0
TINY = 3
- PRE = nil
+ PRE = "1"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_record/railtie.rb
new/lib/active_record/railtie.rb
--- old/lib/active_record/railtie.rb 2022-05-09 15:40:02.000000000 +0200
+++ new/lib/active_record/railtie.rb 2022-07-12 19:30:22.000000000 +0200
@@ -403,5 +403,23 @@
end
end
end
+
+ initializer "active_record.use_yaml_unsafe_load" do |app|
+ config.after_initialize do
+ unless app.config.active_record.use_yaml_unsafe_load.nil?
+ ActiveRecord.use_yaml_unsafe_load =
+ app.config.active_record.use_yaml_unsafe_load
+ end
+ end
+ end
+
+ initializer "active_record.yaml_column_permitted_classes" do |app|
+ config.after_initialize do
+ unless app.config.active_record.yaml_column_permitted_classes.nil?
+ ActiveRecord.yaml_column_permitted_classes =
+ app.config.active_record.yaml_column_permitted_classes
+ end
+ end
+ end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_record.rb new/lib/active_record.rb
--- old/lib/active_record.rb 2022-05-09 15:40:02.000000000 +0200
+++ new/lib/active_record.rb 2022-07-12 19:30:22.000000000 +0200
@@ -340,6 +340,20 @@
singleton_class.attr_accessor :query_transformers
self.query_transformers = []
+ ##
+ # :singleton-method:
+ # Application configurable boolean that instructs the YAML Coder to use
+ # an unsafe load if set to true.
+ singleton_class.attr_accessor :use_yaml_unsafe_load
+ self.use_yaml_unsafe_load = false
+
+ ##
+ # :singleton-method:
+ # Application configurable array that provides additional permitted classes
+ # to Psych safe_load in the YAML Coder
+ singleton_class.attr_accessor :yaml_column_permitted_classes
+ self.yaml_column_permitted_classes = []
+
def self.eager_load!
super
ActiveRecord::Locking.eager_load!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-05-09 15:40:02.000000000 +0200
+++ new/metadata 2022-07-12 19:30:22.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: activerecord
version: !ruby/object:Gem::Version
- version: 7.0.3
+ version: 7.0.3.1
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2022-05-09 00:00:00.000000000 Z
+date: 2022-07-12 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,28 +16,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.3
+ version: 7.0.3.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.3
+ version: 7.0.3.1
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.3
+ version: 7.0.3.1
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.3
+ version: 7.0.3.1
description: Databases on Rails. Build a persistent domain model by mapping
database
tables to Ruby classes. Strong conventions for associations, validations,
aggregations,
migrations, and testing come baked-in.
@@ -434,10 +434,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v7.0.3/activerecord/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v7.0.3/
+ changelog_uri:
https://github.com/rails/rails/blob/v7.0.3.1/activerecord/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v7.0.3.1/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v7.0.3/activerecord
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.3.1/activerecord
rubygems_mfa_required: 'true'
post_install_message:
rdoc_options:
@@ -456,7 +456,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.3
signing_key:
specification_version: 4
summary: Object-relational mapper framework (part of Rails).
