Hello community,
here is the log from the commit of package rubygem-activesupport-5.2 for
openSUSE:Factory checked in at 2020-10-05 19:29:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-activesupport-5.2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-activesupport-5.2.new.4249 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activesupport-5.2"
Mon Oct 5 19:29:32 2020 rev:10 rq:838017 version:5.2.4.4
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-activesupport-5.2/rubygem-activesupport-5.2.changes
2020-05-11 13:38:52.076804922 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-activesupport-5.2.new.4249/rubygem-activesupport-5.2.changes
2020-10-05 19:29:38.088514445 +0200
@@ -1,0 +2,18 @@
+Fri Sep 25 13:24:20 UTC 2020 - Stephan Kulow <co...@suse.com>
+
+updated to version 5.2.4.4
+ see installed CHANGELOG.md
+
+ ## Rails 5.2.4.4 (September 09, 2020) ##
+
+ * No changes.
+
+
+ ## Rails 5.2.4.3 (May 18, 2020) ##
+
+ * [CVE-2020-8165] Deprecate Marshal.load on raw cache read in
RedisCacheStore
+
+ * [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore
+
+
+-------------------------------------------------------------------
Old:
----
activesupport-5.2.4.2.gem
New:
----
activesupport-5.2.4.4.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-activesupport-5.2.spec ++++++
--- /var/tmp/diff_new_pack.WenxGT/_old 2020-10-05 19:29:39.808516105 +0200
+++ /var/tmp/diff_new_pack.WenxGT/_new 2020-10-05 19:29:39.812516110 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-activesupport-5.2
-Version: 5.2.4.2
+Version: 5.2.4.4
Release: 0
%define mod_name activesupport
%define mod_full_name %{mod_name}-%{version}
++++++ activesupport-5.2.4.2.gem -> activesupport-5.2.4.4.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2020-03-19 17:30:13.000000000 +0100
+++ new/CHANGELOG.md 2020-09-09 20:34:59.000000000 +0200
@@ -1,3 +1,14 @@
+## Rails 5.2.4.4 (September 09, 2020) ##
+
+* No changes.
+
+
+## Rails 5.2.4.3 (May 18, 2020) ##
+
+* [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore
+
+* [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore
+
## Rails 5.2.4.1 (December 18, 2019) ##
* No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_support/cache/mem_cache_store.rb
new/lib/active_support/cache/mem_cache_store.rb
--- old/lib/active_support/cache/mem_cache_store.rb 2020-03-19
17:30:13.000000000 +0100
+++ new/lib/active_support/cache/mem_cache_store.rb 2020-09-09
20:34:59.000000000 +0200
@@ -7,7 +7,6 @@
raise e
end
-require "active_support/core_ext/marshal"
require "active_support/core_ext/array/extract_options"
module ActiveSupport
@@ -28,14 +27,6 @@
# Provide support for raw values in the local cache strategy.
module LocalCacheWithRaw # :nodoc:
private
- def read_entry(key, options)
- entry = super
- if options[:raw] && local_cache && entry
- entry = deserialize_entry(entry.value)
- end
- entry
- end
-
def write_entry(key, entry, options)
if options[:raw] && local_cache
raw_entry = Entry.new(entry.value.to_s)
@@ -189,9 +180,8 @@
key
end
- def deserialize_entry(raw_value)
- if raw_value
- entry = Marshal.load(raw_value) rescue raw_value
+ def deserialize_entry(entry)
+ if entry
entry.is_a?(Entry) ? entry : Entry.new(entry)
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_support/cache/redis_cache_store.rb
new/lib/active_support/cache/redis_cache_store.rb
--- old/lib/active_support/cache/redis_cache_store.rb 2020-03-19
17:30:13.000000000 +0100
+++ new/lib/active_support/cache/redis_cache_store.rb 2020-09-09
20:34:59.000000000 +0200
@@ -70,14 +70,6 @@
# Support raw values in the local cache strategy.
module LocalCacheWithRaw # :nodoc:
private
- def read_entry(key, options)
- entry = super
- if options[:raw] && local_cache && entry
- entry = deserialize_entry(entry.value)
- end
- entry
- end
-
def write_entry(key, entry, options)
if options[:raw] && local_cache
raw_entry = Entry.new(serialize_entry(entry, raw: true))
@@ -328,7 +320,8 @@
# Read an entry from the cache.
def read_entry(key, options = nil)
failsafe :read_entry do
- deserialize_entry redis.with { |c| c.get(key) }
+ raw = options&.fetch(:raw, false)
+ deserialize_entry(redis.with { |c| c.get(key) }, raw: raw)
end
end
@@ -343,6 +336,7 @@
def read_multi_mget(*names)
options = names.extract_options!
options = merged_options(options)
+ raw = options&.fetch(:raw, false)
keys = names.map { |name| normalize_key(name, options) }
@@ -352,7 +346,7 @@
names.zip(values).each_with_object({}) do |(name, value), results|
if value
- entry = deserialize_entry(value)
+ entry = deserialize_entry(value, raw: raw)
unless entry.nil? || entry.expired? ||
entry.mismatched?(normalize_version(name, options))
results[name] = entry.value
end
@@ -421,9 +415,20 @@
end
end
- def deserialize_entry(serialized_entry)
+ def deserialize_entry(serialized_entry, raw:)
if serialized_entry
entry = Marshal.load(serialized_entry) rescue serialized_entry
+
+ written_raw = serialized_entry.equal?(entry)
+ if raw != written_raw
+ ActiveSupport::Deprecation.warn(<<-MSG.squish)
+ Using a different value for the raw option when reading and
writing
+ to a cache key is deprecated for :redis_cache_store and Rails
6.0
+ will stop automatically detecting the format when reading to
avoid
+ marshal loading untrusted raw strings.
+ MSG
+ end
+
entry.is_a?(Entry) ? entry : Entry.new(entry)
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_support/gem_version.rb
new/lib/active_support/gem_version.rb
--- old/lib/active_support/gem_version.rb 2020-03-19 17:30:13.000000000
+0100
+++ new/lib/active_support/gem_version.rb 2020-09-09 20:34:59.000000000
+0200
@@ -10,7 +10,7 @@
MAJOR = 5
MINOR = 2
TINY = 4
- PRE = "2"
+ PRE = "4"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2020-03-19 17:30:13.000000000 +0100
+++ new/metadata 2020-09-09 20:34:59.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: activesupport
version: !ruby/object:Gem::Version
- version: 5.2.4.2
+ version: 5.2.4.4
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2020-03-19 00:00:00.000000000 Z
+date: 2020-09-09 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: i18n
@@ -333,8 +333,8 @@
licenses:
- MIT
metadata:
- source_code_uri: https://github.com/rails/rails/tree/v5.2.4.2/activesupport
- changelog_uri:
https://github.com/rails/rails/blob/v5.2.4.2/activesupport/CHANGELOG.md
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.4.4/activesupport
+ changelog_uri:
https://github.com/rails/rails/blob/v5.2.4.4/activesupport/CHANGELOG.md
post_install_message:
rdoc_options:
- "--encoding"
@@ -352,7 +352,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
signing_key:
specification_version: 4
summary: A toolkit of support libraries and Ruby core extensions extracted
from the
