commit rubygem-activejob-5.2 for openSUSE:Factory

root Thu, 06 Dec 2018 03:18:31 -0800

Hello community,

here is the log from the commit of package rubygem-activejob-5.2 for 
openSUSE:Factory checked in at 2018-12-06 12:17:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-activejob-5.2 (Old)
 and      /work/SRC/openSUSE:Factory/.rubygem-activejob-5.2.new.19453 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "rubygem-activejob-5.2"

Thu Dec  6 12:17:56 2018 rev:3 rq:655330 version:5.2.1.1

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/rubygem-activejob-5.2/rubygem-activejob-5.2.changes  
    2018-08-12 20:53:24.629228260 +0200
+++ 
/work/SRC/openSUSE:Factory/.rubygem-activejob-5.2.new.19453/rubygem-activejob-5.2.changes
   2018-12-06 12:17:57.817478144 +0100
@@ -1,0 +2,18 @@
+Mon Dec  3 06:20:11 UTC 2018 - [email protected]
+ 
+- updated to version 5.2.1.1 (boo#1118076)
+
+- addresses a security vulnerability (CVE-2018-16476, bsc#1117632)
+
+  Carefully crafted user input can cause Active Job to deserialize
+  it using GlobalId and allow an attacker to have access to
+  information that they should not have.
+
+  Vulnerable code will look something like this:
+
+      MyJob.perform_later(user_input)
+
+  All users running an affected release should either upgrade
+  or use one of the workarounds immediately.
+
+-------------------------------------------------------------------

Old:
----
  activejob-5.2.1.gem

New:
----
  activejob-5.2.1.1.gem

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rubygem-activejob-5.2.spec ++++++
--- /var/tmp/diff_new_pack.hJVIsy/_old  2018-12-06 12:17:58.385477534 +0100
+++ /var/tmp/diff_new_pack.hJVIsy/_new  2018-12-06 12:17:58.385477534 +0100
@@ -24,7 +24,7 @@
 #
 
 Name:           rubygem-activejob-5.2
-Version:        5.2.1
+Version:        5.2.1.1
 Release:        0
 %define mod_name activejob
 %define mod_full_name %{mod_name}-%{version}

++++++ activejob-5.2.1.gem -> activejob-5.2.1.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md    2018-08-07 23:42:10.000000000 +0200
+++ new/CHANGELOG.md    2018-11-27 21:12:22.000000000 +0100
@@ -1,3 +1,15 @@
+## Rails 5.2.1.1 (November 27, 2018) ##
+
+*   Do not deserialize GlobalID objects that were not generated by Active Job.
+
+    Trusting any GlobaID object when deserializing jobs can allow attackers to 
access
+    information that should not be accessible to them.
+
+    Fix CVE-2018-16476.
+
+    *Rafael Mendonça França*
+
+
 ## Rails 5.2.1 (August 07, 2018) ##
 
 *   Pass the error instance as the second parameter of block executed by 
`discard_on`.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/active_job/arguments.rb 
new/lib/active_job/arguments.rb
--- old/lib/active_job/arguments.rb     2018-08-07 23:42:10.000000000 +0200
+++ new/lib/active_job/arguments.rb     2018-11-27 21:12:22.000000000 +0100
@@ -77,7 +77,7 @@
       def deserialize_argument(argument)
         case argument
         when String
-          GlobalID::Locator.locate(argument) || argument
+          argument
         when *TYPE_WHITELIST
           argument
         when Array
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/active_job/gem_version.rb 
new/lib/active_job/gem_version.rb
--- old/lib/active_job/gem_version.rb   2018-08-07 23:42:10.000000000 +0200
+++ new/lib/active_job/gem_version.rb   2018-11-27 21:12:22.000000000 +0100
@@ -10,7 +10,7 @@
     MAJOR = 5
     MINOR = 2
     TINY  = 1
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata        2018-08-07 23:42:10.000000000 +0200
+++ new/metadata        2018-11-27 21:12:22.000000000 +0100
@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activejob
 version: !ruby/object:Gem::Version
-  version: 5.2.1
+  version: 5.2.1.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-07 00:00:00.000000000 Z
+date: 2018-11-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.1
+        version: 5.2.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.1
+        version: 5.2.1.1
 - !ruby/object:Gem::Dependency
   name: globalid
   requirement: !ruby/object:Gem::Requirement
@@ -86,8 +86,8 @@
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.1/activejob
-  changelog_uri: 
https://github.com/rails/rails/blob/v5.2.1/activejob/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.1.1/activejob
+  changelog_uri: 
https://github.com/rails/rails/blob/v5.2.1.1/activejob/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:

commit rubygem-activejob-5.2 for openSUSE:Factory

Reply via email to