Hello community,
here is the log from the commit of package rubygem-activejob-4_2 for
openSUSE:Factory checked in at 2019-01-21 10:27:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-activejob-4_2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-activejob-4_2.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activejob-4_2"
Mon Jan 21 10:27:06 2019 rev:15 rq:656400 version:4.2.11
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-activejob-4_2/rubygem-activejob-4_2.changes
2017-12-07 13:51:44.329857065 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-activejob-4_2.new.28833/rubygem-activejob-4_2.changes
2019-01-21 10:27:11.765629231 +0100
@@ -1,0 +2,17 @@
+Sat Dec 8 16:14:18 UTC 2018 - Stephan Kulow <[email protected]>
+
+- updated to version 4.2.11
+ see installed CHANGELOG.md
+
+ ## Rails 4.2.11 (November 27, 2018) ##
+
+ * Do not deserialize GlobalID objects that were not generated by Active
Job.
+
+ Trusting any GlobaID object when deserializing jobs can allow attackers
to access
+ information that should not be accessible to them.
+
+ Fix CVE-2018-16476.
+
+ *Rafael Mendonça França*
+
+-------------------------------------------------------------------
Old:
----
activejob-4.2.10.gem
New:
----
activejob-4.2.11.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-activejob-4_2.spec ++++++
--- /var/tmp/diff_new_pack.VPi2NY/_old 2019-01-21 10:27:12.237628713 +0100
+++ /var/tmp/diff_new_pack.VPi2NY/_new 2019-01-21 10:27:12.237628713 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-activejob-4_2
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@@ -24,7 +24,7 @@
#
Name: rubygem-activejob-4_2
-Version: 4.2.10
+Version: 4.2.11
Release: 0
%define mod_name activejob
%define mod_full_name %{mod_name}-%{version}
++++++ activejob-4.2.10.gem -> activejob-4.2.11.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2017-09-27 16:28:43.000000000 +0200
+++ new/CHANGELOG.md 2018-11-27 21:06:16.000000000 +0100
@@ -1,3 +1,15 @@
+## Rails 4.2.11 (November 27, 2018) ##
+
+* Do not deserialize GlobalID objects that were not generated by Active Job.
+
+ Trusting any GlobaID object when deserializing jobs can allow attackers to
access
+ information that should not be accessible to them.
+
+ Fix CVE-2018-16476.
+
+ *Rafael Mendonça França*
+
+
## Rails 4.2.10 (September 27, 2017) ##
* No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_job/arguments.rb
new/lib/active_job/arguments.rb
--- old/lib/active_job/arguments.rb 2017-09-27 16:28:43.000000000 +0200
+++ new/lib/active_job/arguments.rb 2018-11-27 21:06:16.000000000 +0100
@@ -75,7 +75,7 @@
def deserialize_argument(argument)
case argument
when String
- GlobalID::Locator.locate(argument) || argument
+ argument
when *TYPE_WHITELIST
argument
when Array
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_job/gem_version.rb
new/lib/active_job/gem_version.rb
--- old/lib/active_job/gem_version.rb 2017-09-27 16:28:43.000000000 +0200
+++ new/lib/active_job/gem_version.rb 2018-11-27 21:06:16.000000000 +0100
@@ -7,7 +7,7 @@
module VERSION
MAJOR = 4
MINOR = 2
- TINY = 10
+ TINY = 11
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2017-09-27 16:28:43.000000000 +0200
+++ new/metadata 2018-11-27 21:06:16.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: activejob
version: !ruby/object:Gem::Version
- version: 4.2.10
+ version: 4.2.11
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2017-09-27 00:00:00.000000000 Z
+date: 2018-11-27 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 4.2.10
+ version: 4.2.11
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 4.2.10
+ version: 4.2.11
- !ruby/object:Gem::Dependency
name: globalid
requirement: !ruby/object:Gem::Requirement
@@ -98,7 +98,7 @@
version: '0'
requirements: []
rubyforge_project:
-rubygems_version: 2.5.2
+rubygems_version: 2.7.6
signing_key:
specification_version: 4
summary: Job framework with pluggable queues.
